Multiple provider single sign-on

The multiple provider single sign-on (multi-SSO) feature allows organizations to use several SSO identity providers (IdPs) to manage authentication as well as retain local database (basic) authentication.

The integration supports any combination of local and external authentication methods on a single instance:
  • SAML 2.0
  • Digest Authentication
  • LDAP
  • Local database authentication

For example, a globally dispersed corporation might require one SSO provider for their employees, a different one for their vendors, and local database authentication for their administrators. Alternatively, a company might implement SAML 2.0 and a digest token authentication solutions on the same instance.

Changes to SAML 2.0 and digest token configuration

Multiple provider single sign-on allows administrators to configure SAML 2.0 Update 1 and digest token as authentication methods. Multiple provider single sign-on should be activated before you configure your SAML 2.0 Update 1 and digest token properties. After you activate multi-provider SSO, you must then set it up. After setting up multi-provider SSO, you can create or update the SAML 2.0 Update 1 and digest token configurations. You can use either or both authentication solutions with multi-provider SSO.

Note: The Integration - Multiple Provider Single Sign-On Installer plugin removes the SAML application from the navigator. The necessary SAML settings are migrated to the Multi-Provider SSO application into the SAML2 Migrated table. You can still modify items like the x509 certificate, IdP details, and so on through the Multi-Provider SSO application.

Use E-Signature with Multi-Provider SSO

When approval with e-signature is active, approving a request, like a change or a service catalog order, usually requires the approver to enter their credentials. After you configure multi-provider SSO, approvers enter their IdP login credentials instead.

When Multi-Provider SSO is enabled, make sure to configure the Identity Provider form and add the Assertion Consumer URL for eSignature authentication field. In most cases, this URL will be: https://YOURINSTANCE.service-now.com/consumer.do. However, if you employ a customized method of handling the SAML authentication for eSignature, you can set up your own consumer URL.

If you are only using SAML 2.0 Update 1 and not using Multi-Provider Single Sign-on, configure the assertion consumer URL with E-signature SAML properties.

Local database authentication with Multi-Provider SSO

If you still want to use local database authentication when Multi-SSO is active, you must set the glide.authentication.external.disable_local_login property to false. See Redirection Properties.