We're trying to configure our new ServiceNow support tool for single sign on with our Active Directory. We have an Active Directory Federation Server, and have setup an ADFS Relying Party as per the instructions here: http://wiki.servicenow.com/?title=Configuring_ADFS_2.0_to_Communicate_with_SAML_2.0
. The setup appears to be OK, when we visit the ADFS signin page (https://adfs.ourdomain.com/adfs/ls/idpinitiatedsignon.aspx
) we get a sign in page with ServiceNow as a site option available to login to. However, when we login, an error appears briefly saying "Could not validate SAMLResponse", then the page appears to forward to https://ourdomain.service-now.com/logout_redirect.do?sysparm_url=logout_success.do
, and constantly ping back and forth between that page and the sign in page. When we enable debugging on the service now portal, the below error is shown in the logs:
SAML2ValidationError: AudienceRestriction validation failed. No matching audience found.
I think this is something to do with the certificate, but not 100% sure. I followed the certificate export instructions on the aforementioned wiki, exporting the Token-Signing cert, and then imported that into the ServiceNow instance as per the instructions here: http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile#Step_5._Install_the_IdP_Certificate
Any help, advice, or suggestions would be most welcome!