Close
Thank you for your feedback.

(Workaround) Enable service provider-initiated authentication

(Workaround) Enable service provider-initiated authentication

A workaround is available if authentication fails because you do not have SAML 2.0 Update 1. This can happen if users attempt to skip IdP authentication and navigate directly to the instance.

Before you begin

Role required: admin

About this task

This is an error with the instance not providing ADFS with the needed definition and semantics for the SPNameQualifier attribute in the SAMLResponse.

To enable service provider-initiated authentication, do one of the following

  • Upgrade to SAML 2.0 Update 1 and clear the option to create an AuthnContextClass request. See Activate and set up SAML 2.0 .

  • Modify the SAML2 script include to comment out the definitions of the SPNameQualifier attribute when you have SAML 2.0 active (not SAML 2.0 Update 1).

    Comment out these lines in the createNameID and createNameIDPolicy functions:

    //nid.setSPNameQualifier (serviceURL ) ;
    
     //nameIdPolicy. setSPNameQualifier (serviceURLStr ) ;

What to do next

If you do not want the login prompt from your ADFS server to appear when you access the instance, set the following SAML 2.0 Update 1 property to false: Create an AuthnContextClass request in the AuthnRequest statement(glide.authenticate.sso.saml2.createrequestedauthncontext).

Products > ServiceNow Platform > Platform Security; Versions > Istanbul