SAML 2.0 Single Sign-On - Update 1

The SAML 2.0 Single Sign-On - Update 1: security enhancements plugin improves integration security by requiring additional checks against the SAMLResponse URL parameter.

The integration explicitly checks the SAML response for the proper Identity Provider (IdP) and intended audience URLs.

Additional SAML response validations

With Update 1, the integration validates these elements in the SAMLResponse.
  • An Issuer element that matches the value listed in the issuer system property
  • The SubjectConfirmation and SubjectConfirmationData elements with a Recipient attribute
  • The AudienceRestriction and Audience elements that match the value listed in the audience system property

Support for Signed SingleLogoutRequest

With Update 1, the SAML 2.0 integration has the option to sign SingleLogoutRequest elements. Some IdPs, such as Microsoft ADFS, require a signed SingleLogoutRequest.

Support for AuthnContextClass

With Update 1, the SAML 2.0 integration has the option to specify the method by which the IdP authenticates the user in the AuthnContextClass element. For example, the integration can now specify contexts such as form-based Password Protected Transport or Kerberos. See (Optional) Enable Providing an Authentication Context Class for instructions on setting an authentication context class.

Properties

The SAML 2.0 Update 1 plugin includes the following system properties.
Table 1. Properties
Property Description
The Identity Provider URL which will issue the SAML2 security token with user info.

glide.authenticate.sso.saml2.idp

Enter the value of the Issuer element that the integration uses to validate the IdP URL.
Sign LogoutRequest. Set this property to true if the Identity Provider's SingleLogoutRequest service requires signed LogoutRequest.

glide.authenticate.sso.saml2.require_signed_logoutrequest

Select whether the IdP requires a signed logout request.
Select whether the IdP requires a signed logout request.

glide.authenticate.external.logout_redirect

Enter the URL where the integration redirects users after they log out. Typically, you set this property to a UI page if you are using Kerberos authentication to prevent users from being redirected back to the IdP and logging in again after a logout request.
The audience uri that accepts SAML2 token. (Normally, it is your instance URI. For example: https://<instance name>.service-now.com.)

glide.authenticate.sso.saml2.audience

Enter the value of the Audience element that integration uses to validate the SP URL in the SAMLResponse.
Create an AuthnContextClass request in the AuthnRequest statement.

glide.authenticate.sso.saml2.createrequestedauthncontext

Select whether to create an AuthnContextClass element in the SAMLRequest that specifies the login mechanism the IdP should use to authenticate the user. Not all IdPs support a AuthnContextClass element in the SAMLRequest. If you select Yes, you must specify the URN of the context class with the glide.authenticate.sso.saml2.authncontextclassref property.
The AuthnContextClassRef method that we will request in our SAML 2.0 AutnReqeust to the Identity Provider

glide.authenticate.sso.saml2.authncontextclassref

Enter the URN of the login mechanism you want the IdP to use to authenticate users. For example, by default the system uses the forms-based Password Protected Transport authentication context urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport.
The alias of key entry stored in SAML 2.0 SP Keystore used to sign SAML 2 requests.

glide.authenticate.sso.saml2.signing_key_alias

Enter the alias of the key that signs SAML 2 logout requests. You will have to create a Java Keystore for the alias.
The password of key entry stored in SAML 2.0 SP Keystore used to sign SAML 2 requests.

glide.authenticate.sso.saml2.signing_key_password

Enter the password for the key that signs SAML 2 logout requests.
The number in seconds before "notBefore" constraint, or after "notOnOrAfter" constraint, to consider still valid.

glide.authenticate.sso.saml2.clockskew

Enter the number of seconds between the two attributes that make up the SAMLResponse nonce. A valid SAMLResponse must fall between the notBefore and notOnOrAfter date-time values.
AuthnRequest URL for eSignature Authentication.

com.snc.integration.saml_esig.idp_authnrequest_url

Enter the URL that points to the SAML 2.0 Identity Provider AuthnRequest Consumer for eSignature Authentication. In most cases, this will be the same as the AuthnRequest URL used in general authentication.

Leave this setting blank if you intend to use the same AuthnRequest Consumer URL that is used for general SAML 2.0 authentication in your instance.

The SAML 2.0 Assertion Consumer URL for eSignature authentication.

com.snc.integration.saml_esig.approval_consumer_url

In most cases, this URL will be: https://YOURINSTANCE.service-now.com/consumer.do. However, if you employ a customized method of handling the SAML authentication for eSignature, you can set up your own consumer URL.
The SAML 2.0 Assertion Consumer Index for eSignature authentication.

com.snc.integration.saml_esig.assertion_consumer_service_index

If your Service Provider has more than one URL set for the AssertionConsumerURL, you can set the index to use for eSignature, starting with index 1 or more.
Authentication Pop-up Dialog Width.

com.snc.integration.saml_esig.popup_dlg_width

When a user approves a request using eSignature, a dialog allows the user to enter their credentials. This setting controls the width of that dialog box.
Authentication Pop-up Dialog Height.

com.snc.integration.saml_esig.popup_dlg_height

When a user approves a request using eSignature, a dialog allows the user to enter their credentials. This setting controls the height of that dialog box.

SAML 2.0 update 1 requirements

The SAML 2.0 update requires:
  • Activating the SAML 2.0 Update 1 plugin
  • Additional metadata from the SAML 2.0 Identity Provider (IdP)
    • SAML Request can include an AuthnContextClass element to specify the Service Provider's preferred login mechanism such as form-based authentication or Kerberos. If this element is not specified, the IdP chooses the login method.
    • SAML Response must include an Issuer element that matches the value listed in the issuer system property
    • SAML Response must include SubjectConfirmation and SubjectConfirmationData elements with a Recipient attribute
    • SAML Response must include AudienceRestriction and Audience elements that match the value listed in the audience system property