Force single sign-on login (SSO) only

When single sign-on is enabled, you might not want users to see the login page or allow user to login locally.

In other words, if a user attempts to go to https://customerX.service-now.com, the internal company portal should be displayed instead of the default login page. Likewise, when a user logs out of the application, the browser should redirect them to a specific internal page. You can set redirection properties within the instance to ensure that users see the single sign-on page rather than the default login page.

Redirection properties

When a user logs out, or if there is a failed attempt to sign on using SSO, you can define where the user is taken next, such as a main portal page or a knowledge base article with SSO login information. Use the following properties to specify the URLs. If one of these properties does not exist in your instance, you can create the property.
glide.authenticate.failed_requirement_redirect
URL to redirect users when they attempt to access a page that is private (for example, to view an incident) and do not provide SSO credentials. The property is typically set to a customer's login portal (for example, http://portal.companya.com/).
glide.authenticate.failed_redirect
URL to redirect users after a failed SSO attempt. You can redirect to a public knowledge article that describes the error and has helpful links (for example, http://portal.companya.com/error).
glide.authenticate.external.logout_redirect
URL to redirect users after logging out, typically back to the portal that enabled the single sign-on log in (for example, http://portal.companya.com/logout).
glide.authentication.external.disable_local_login
When set to true, requires SSO credentials for the main login page. Defaults to false. This property needs to be used in conjunction with the glide.authenticate.failed_requirement_redirect property.
The following table shows the relationship between the Installation Exit return values, the properties, and the expected behavior.
Table 1. Forcing login using SSO only
Return value Property Behavior
failed_missing_requirement glide.authenticate.failed_requirement_redirect When this value is returned, it indicates that the required SSO credentials are not present in the session. Login fails and the session is redirected to the URL specified by the property. This is usually the URL for the SSO provider where login is challenged and credentials are collected.
failed_authentication glide.authenticate.failed_redirect When this value is returned, it indicates that the supplied SSO credentials failed authentication, the user does not exist, or the user is locked out. Login fails and the session is redirected to the URL specified by the property. This is usually the URL for the SSO provider where login is challenged and credentials are collected.
<user_id> N/A Login authorized for the user specified by <user_id>. This value matches with the field name defined in the SSO property glide.authenticate.header.value ("the instance's field name to match against the incoming header")

Restricting local login

As a security precaution, you should do more than rely on redirection properties to prohibit logging in locally. If a user should never log in locally and will always be authenticated by your internal single sign-on system, then a random password should be assigned to each user that is imported into the instance. The random password is most easily set at the time of the user import. If the user data is imported into your system through an import set, you can create an onBefore transform script using the following code .
var r  = new Packages. java. util. Random ( ) ;

 var str1  = Packages. java. lang. Long. toString (Packages. java. lang.
 Math. abs (r. nextLong ( ) ) , 36 ) ; var str2  = Packages. java. lang.
 Long. toString (Packages. java. lang. Math. abs (r. nextLong ( ) ) , 36
 ) ;

 var newPass  = str1  + str2 ;

target. user_password = newPass ;

 //password now set to a random string like this:
 //qvm81zdrn7cwwylpvw94eebk