Create a SAML 2.0 update 1 SSO configuration for Multi-SSO

You can create and update SAML 2.0 Update 1 SSO configurations from the multiple provider single sign-on feature.

Before you begin

Role required: admin

Procedure

  1. Navigate to Multi-Provider SSO > Identity Providers.
  2. To update a configuration, click an SSO configuration record.
  3. To create a new configuration, click New.
  4. Click SAML2 Update 1.
  5. Complete the form, using the fields from the table and submit the record.
    For more information on multi-provider single-sign on, see Multi-Provider Single Sign-On.
    Table 1. Multi-provider single sign-on fields
    Property Description
    Name Enter the name for the SSO property record.
    Active Select the check box to set the SAML configuration to active.
    User Field Enter the field on the User table that contains the value the IdP needs to identify the user.
    Identity Provider URL Enter the URL to your IdP.
    Identity Provider's AuthnRequest Enter the URL to the HTTP-Redirect binding obtained from the SingleSignOnService element.

    Add the value to the glide.security.url.whitelist property.

    Identity Provider's SingleLogoutRequest Enter the URL obtained from the SingleLogoutService element.
    Failed Requirement Redirect Enter the URL for redirecting failed authentication requests. Typically, the URL endpoint is an error page or logout page.
    ServiceNow Homepage Enter the URL, including login page, of the instance for which the IdP authenticates. For example: https://yourinstance.service-now.com/navpage.do
    Entity ID/Issuer Enter the base URL, excluding login page. of the instance for which the IdP authenticates. For example: </nowiki>https://yourinstance.service-now.com/</nowiki>
    Protocol Binding for the IDP's SingleLogoutReuqest Enter one of the supported values listed in the Binding attribute from the SingleLogoutService element.
    NameID Policy Enter the value of the NameIDFormat element the integration uses.
    NameID Attribute Leave this field blank unless you configure a new NameID policy. If you do configure a new policy, the system needs to know which field in the User table it should use to identify the user logging in by matching the NameID token. Enter the name of that User table field here.
    Create AuthnContextClass Select the check box to specify a particular context class such as Password Protected Transport. If the check box is cleared, the IdP selects the most appropriate context class.
    AuthnContextClassRef Method Enter the URN of the login mechanism you want the IdP to use to authenticate users.
    External logout redirect Enter the URL where the integration redirects users after they log out.
    Signing/Encryption Key Alias Enter the alias of the key entry stored in SAML 2.0 SP Keystore.
    Signing Key Password Enter the password of the key entry stored in SAML 2.0 SP Keystore.
    Encrypt Assertion Select the check box to encrypt the assertion in the SAML response. The metadata generated for the IDP embeds the x509 certificate, which the IDP uses to encrypt the assertion in the SAML response that it generates.
    Clock Skew Enter the number of seconds between the two attributes that make up the SAMLResponse nonce. A valid SAMLResponse must fall between the notBefore and notOnOrAfter date-time values. See Sample SAML 2 Response with the SubjectConfirmation and SubjectConfirmationData Elements and Sample SAML 2 Response with the AudienceRestrictions and Audience Elements for a sample SAMLResponse message.
    Force AuthnRequest Select the check box to force AuthnRequests to occur.
    Is Passive AuthnRequest Select the check box if the AuthnRequest is passive.
    Sign AuthnRequest Select the check box to enable the IdP's single-sign on service to receive a signed AuthnRequest.
    Signing Signature Algorithm Enter the URL that points to the SAML 2.0 Identity Provider AuthnRequest Consumer for eSignature Authentication.
    Single Sign-On Script Select the Single Sign-On script.
    Auto Provisioning User Enable automatic user provisioning, which creates a user in the instance's User table when the user exists on the IdP but does not exist in the User table.
    Update User Record Upon Each Login Updates user information in the instance's User table with the information in the IdP each time the user logs in using SAML.
    Related list
    X.509 Certificates The IdP certificates. You can add as many certificates as necessary after you install them. When there are multiple certificates, the system uses the first active certificate that is found.