Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

ADFS Single Signon with ServiceNow

Posted on 2014-12-24
3
Medium Priority
?
707 Views
Last Modified: 2015-01-07
We're trying to configure our new ServiceNow support tool for single sign on with our Active Directory. We have an Active Directory Federation Server, and have setup an ADFS Relying Party as per the instructions here: http://wiki.servicenow.com/?title=Configuring_ADFS_2.0_to_Communicate_with_SAML_2.0. The setup appears to be OK, when we visit the ADFS signin page (https://adfs.ourdomain.com/adfs/ls/idpinitiatedsignon.aspx) we get a sign in page with ServiceNow as a site option available to login to. However, when we login, an error appears briefly saying "Could not validate SAMLResponse", then the page appears to forward to https://ourdomain.service-now.com/logout_redirect.do?sysparm_url=logout_success.do, and constantly ping back and forth between that page and the sign in page. When we enable debugging on the service now portal, the below error is shown in the logs:
SAML2ValidationError: AudienceRestriction validation failed. No matching audience found.
I think this is something to do with the certificate, but not 100% sure. I followed the certificate export instructions on the aforementioned wiki, exporting the Token-Signing cert, and then imported that into the ServiceNow instance as per the instructions here: http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile#Step_5._Install_the_IdP_Certificate.

Any help, advice, or suggestions would be most welcome!
0
Comment
Question by:bjblackmore
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 18

Assisted Solution

by:Learnctx
Learnctx earned 1200 total points
ID: 40517439
It sounds like a certificate issue from the sound of it. Do you have the certificate in the correct format (PEM)? Have you converted the certificate from DER format to PEM format? If you have not try doing that using https://www.sslshopper.com/ssl-converter.html. Make sure there is no white space or carriage returns on the end of the certificate text.
0
 

Accepted Solution

by:
bjblackmore earned 0 total points
ID: 40527792
Thanks for the reply. Sorry for the delayed responce, Christmas holidays!

After posting my initial question I went back and re-read the instructions, and I had indeed missed the PEM convertion. However even after converting and uploading the cert in PEM format I still got the same error. After getting Service Now support to check the settings, it turns out that there is a property on the SNOW side that was mis-configured. The Audience URL needs to be the SNOW URL, but was incorrectly set. After updating this to the correct URL, login now works successfully!
Audience URL
0
 

Author Closing Comment

by:bjblackmore
ID: 40535212
Certificate not being in PEM format was probably part of the issue, but also the audience URL was incorrect.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question