Thank you for your feedback.
Form temporarily unavailable. Please try again or contact docfeedback@servicenow.com to submit your comments.
Versions
  • London
  • Kingston
  • Jakarta
  • Istanbul
  • Helsinki
  • Geneva
  • Store
Close

Set up multiple provider SSO with Edge Encryption

Set up multiple provider SSO with Edge Encryption

If implementing multiple provider single sign-on (SSO) with Edge Encryption enabled, some users may need to log in to your instance through the Edge Encryption proxy server, while other users may not. Set up multiple provider SSO to enable logging in through the Edge Encryption proxy server URL or the instance URL.

Before you begin

  • Role required: admin
  • Enable the Integration - Multiple Provider Single Sign-On Installer plugin (com.snc.integration.sso.multi.installer).
  • Enable the Edge Encryption plugin (com.glide.edgeencryption) and ensure that one or more proxy servers are set up in your network.
  • Determine the URL for the Edge Encryption proxy server that users will log in through using multiple provider SSO. To determine the URL of an Edge Encryption proxy server, see Edge Encryption proxy server setup and installation.

About this task

  • If routing all users through the Edge Encryption proxy server, set up your identify provider record and define the proxy server URL in the ServiceNow Homepage, Entity ID / Issuer, and Audience URI fields.
  • To route some users through the proxy server and some users to the instance, create two identify provider records. Both records use the same value in the Identity Provider URL field. However, one of the records routes through the proxy server, while the other routes to the instance.

Procedure

  1. Enable the duplication of identity provider URLs in identity provider records.
    A unique constraint prevents duplication of the identity provider URL in two different identity provider records. You can enable duplication of the identity provider URL in multiple IdP records by setting a field to false.
    1. Navigate to System Definition > Dictionary.
    2. Open the definition record for the idp field of in the Identity Providers table [saml2_update1_properties].
    3. Configure the form to add the Unique field.
    4. Ensure that the value of the Unique field is set to false.
  2. Navigate to Multi-Provider SSO > Identity Providers.
  3. Create two identity provider records for the same identity provider: one using the instance URL and one using the Edge Encryption proxy server URL.
    To create an identity provider record, see Create and update identity providers.
    1. For the Edge Encryption proxy server URL, complete the form using these values.
      Field Value
      Identity Provider URL Imported from IdP metadata.
      ServiceNow Homepage The URL for your proxy server homepage. For example: https://<proxy hostname>:<port>/navpage.do
      Entity ID / Issuer https://<proxy hostname>:<port>
      Audience URI https://<proxy hostname>:<port>
    2. Click Submit.
    3. For the instance URL, complete the form using these values.
      Field Value
      Identity Provider URL Imported from IdP metadata.
      ServiceNow Homepage https://<instance>.service-now.com/navpage.do
      Entity ID / Issuer https://<instance>.service-now.com/navpage.do
      Audience URI https://<instance>.service-now.com/navpage.do
    4. Click Submit.
  4. (Optional) If using more than one identity provider, modify the MultiSSO installation exit.
    1. Navigate to System Definition > Installation Exits.
      The system displays the current list of installation exits.
    2. Open the MultiSSO installation exit.
    3. Locate the following statement in the Script field.
      var samlResponseTxt = request.getParameter("SAMLResponse");
      if (!GlideSession.get().isLoggedIn() && GlideStringUtil.notNil(samlResponseTxt)) {
          var idpRecord = this.getIdPRecord(request);
          if (idpRecord) {
              SSO_Helper.debug("IdP found based on SAML response: " + idpRecord.getUniqueValue());
              return new SSO_Helper(idpRecord.getUniqueValue(), false, null, true);
          }
      }
    4. Replace the statement with the following code.
      var samlResponseTxt = request.getParameter("SAMLResponse");
      if (!GlideSession.get().isLoggedIn() && GlideStringUtil.notNil(samlResponseTxt)) {
         /* // You have two profiles that use the same IdP entity id it cannot use
         // the IdP issuer / entity id from the response otherwise it may result in the
         // wrong IdP profile. IdP initiated login will not work
         var idpRecord = this.getIdPRecord(request);
         if (idpRecord) {
            SSO_Helper.debug("IdP found based on SAML response: " + idpRecord.getUniqueValue());
            return new SSO_Helper(idpRecord.getUniqueValue(), false, null, true);
            }*/
         return new SSO_Helper(null, true);
         }
      Note: IdP initiated login does not work in this configuration.
    5. Click Update.
  5. (Optional) If using more than one company, Configure users for multi-provider SSO. Update the sys_id of the identity provider record depending on the user.
    • To configure a user to log in through the Edge Encryption proxy server, use the sys_id of the identity provider record that uses the Edge Encryption proxy server URL.
    • To configure a user to log in to the instance, use the sys_id of the identity provider record that uses the instance URL.
    Table 1. Login URLs
    URL Login destination
    https://<proxy hostname>:<port>/login_with_sso.do?glide_sso_id=<sys_id of the IdP record for the proxy server URL> Logs in through the proxy server.
    https://<instance name>.service-now.com/login_with_sso.do?glide_sso_id=<sys_id of IdP record for the instance URL> Logs in through the instance.