ADFS Single Signon with ServiceNow

We're trying to configure our new ServiceNow support tool for single sign on with our Active Directory. We have an Active Directory Federation Server, and have setup an ADFS Relying Party as per the instructions here: http://wiki.servicenow.com/?title=Configuring_ADFS_2.0_to_Communicate_with_SAML_2.0. The setup appears to be OK, when we visit the ADFS signin page (https://adfs.ourdomain.com/adfs/ls/idpinitiatedsignon.aspx) we get a sign in page with ServiceNow as a site option available to login to. However, when we login, an error appears briefly saying "Could not validate SAMLResponse", then the page appears to forward to https://ourdomain.service-now.com/logout_redirect.do?sysparm_url=logout_success.do, and constantly ping back and forth between that page and the sign in page. When we enable debugging on the service now portal, the below error is shown in the logs:
SAML2ValidationError: AudienceRestriction validation failed. No matching audience found.
I think this is something to do with the certificate, but not 100% sure. I followed the certificate export instructions on the aforementioned wiki, exporting the Token-Signing cert, and then imported that into the ServiceNow instance as per the instructions here: http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile#Step_5._Install_the_IdP_Certificate.

Any help, advice, or suggestions would be most welcome!
bjblackmoreAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LearnctxEngineerCommented:
It sounds like a certificate issue from the sound of it. Do you have the certificate in the correct format (PEM)? Have you converted the certificate from DER format to PEM format? If you have not try doing that using https://www.sslshopper.com/ssl-converter.html. Make sure there is no white space or carriage returns on the end of the certificate text.
0
bjblackmoreAuthor Commented:
Thanks for the reply. Sorry for the delayed responce, Christmas holidays!

After posting my initial question I went back and re-read the instructions, and I had indeed missed the PEM convertion. However even after converting and uploading the cert in PEM format I still got the same error. After getting Service Now support to check the settings, it turns out that there is a property on the SNOW side that was mis-configured. The Audience URL needs to be the SNOW URL, but was incorrectly set. After updating this to the correct URL, login now works successfully!
Audience URL
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bjblackmoreAuthor Commented:
Certificate not being in PEM format was probably part of the issue, but also the audience URL was incorrect.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.