This is going to be a story of a problem I had myself.

First, I would like to do a shoutout to fschuster and patrick.wilson for helping me out here, without their ideas I probably would still be banging my head against a wall.

Now, here comes the scenario...

Our instance had its birth in Eureka and have gone through Fuji, Geneva and now it's the time to hit Helsinki.

We started to use SSO with Eureka, connected to our ADFS service.

We also have a CMS site(portal) that we use where some pages are public(for example the start page) and doesn't require a logged in user while some other pages does. So when you click on a link and isn't logged it you should be redirected to SSO and then back to the page you wanted to reach.

So for Helsinki we wanted to build our first Service Portal with pretty much a 1:1 relationship when it comes to the functionality etc. And my problem here will be focused how to get some pages as public and when the user hits the other pages, they should be redirected to the SSO.

1. First try, Use the Public field

My first thought was that this might be solved with just using the "public" field and check the ones that are public and then ones that isn't would be redirected automagic to SSO. But it didn't work like that. I only got to the page and it had the top menu visible since the user which wasn't logged in didn't had access the page.

2. Perhaps use a login page as well?

Well, next step... Hmm, I might need a login page then. Since if I have a login page, the user will be redirected to that page for login. Sound logic.. And since I already got SSO installed, they should get to the SSO instead. But nope. The user got only to the login page and the login widget.

3. Does my SSO still work?

Now I began to doubt things. does the SSO still work? I knew it work when I wanted to logon to the "normal UI" for users. But what is the problem... I then made so the startpage wasn't public anymore. And TADA, trying to enter the Service Portal and I got redirected to SSO... WTH... so if the whole portal required logged in users, it would point to the SSO and work, but if some pages were public, I only got to the first internal login page of the portal.

4. Hmm.. Why dont I have these properties

Then I was asked to set some values on two system properties. "glide.authenticate.multisso.enabled" & "glide.authenticate.sso.redirect.idp". I realized that I don't have these from the beginning... Hmm, should I just create them? Before doing that I thought I would try to find out what they did and took a trip to documentation. First line there was "The following items are installed with the Integration - Multiple Provider SIngle Sign-On Installer plugin". And after checking, that plugin wasn't active. Should I activate this? I started to hesitate since we don't have Multiple Providers... We only have one.. And we all know, once you activated the plugin, there is no turning back. Naa, I don't wanna do that. Not yet at least.

5. Let's go to the SAML 2 properties and see

I wasn't involved with the configuration of SAML 2 and since it has been working, I haven't spend so much time on it. It has just been on my list to look at more when times comes by. So perhaps there is something I can click on or change? 😃

But look here, this is what ServiceNow threw at my face when I clicked on the properties module.

Well.. It suddenly sounded like a good idea to activate that plugin 😃

6. Finally the solution

So now it's time to tell you what I did to make it work.

• I activated the plugin "Integration - Multiple Provider SIngle Sign-On Installer plugin". That wasn't so hard 😃
• I changed the value to true on "glide.authenticate.multisso.enabled" and verified that "glide.authenticate.sso.redirect.idp" had the sys_id of the IDP record.

After this, it worked. I clicked on a page that wasn't public, I got to the login page for like 1 sec, then I was redirected to the SSO login.

A bit of background how it work. Since I have the login widget on the login page, ServiceNow knows that it's a login thingie and mixed together with the properties above it will redirect to the IDP. Now, going with this, I can put a login widget on the nonpublic pages and get the same result, but it wouldn't look so good since I would need to all those pages public as well, otherwise the login widget wont load and the redirect wont work.

What I would like to see is an improvement on the login page. Atm, I get like a 1 sec flash of the login page before the redirect and it doesn't really look good since I see the widget etc. Will probably need to clean it up with some CSS in the start.

I also noticed some weird stuff when I activated the plugin and ServiceNow migrated the old values. It for example changed which field on my user records it should compare with the result from the SSO and that resulted that I couldn't log in to the instance through SSO since it couldn't find a matching user record.

I hope you learned something from my journey and hopefully this will help someone with the same problem as I.