A simple setting located on sys_properties can cause public pages links to start asking for authentication. The glide.ui.cms.enforce_public_pages setting can be glossy in security but without prior manual steps you may be affecting the convenience of safe public places.

I will cover:

• Content Management System (CMS) and Single Sign-on (SSO)
• How system property glide.ui.cms.enforce_public_pages affects public pages
• Public pages are asking for authentication

Content Management System (CMS) and Single Sign-on (SSO)

A site is a group of related content pages with a consistent look and feel, defined by a common layout, theme, and URL suffix.

Before creating a site for the first time, review the Content Management System page to understand the concepts and principles of using CMS.

SSO authentication mainly provided by our newly added Multiple Provider Single Sign-On plugin allows organizations to use several SSO identity providers (IdPs) to manage authentication as well as retain local database (basic) authentication. The integration supports any combination of local and external authentication methods on a single instance:

• SAML 2.0
• Digest Authentication
• LDAP
• Local database authentication

For example, a globally dispersed corporation might require one SSO provider for their employees, a different one for their vendors, and local database authentication for their administrators. Administrators can configure Multi-Provider SSO for individual users or for all users who belong to a company. You cannot configure Multi-Provider SSO for groups.

Since public pages do not require login, SSO is skipped and CMS sites are public by default.This is because the pages has been defined with Active set to True on the sys_public table.

You can configure your CMS pages to use SSO by making the view_content page private (active = false). Making a CMS page is a common request as companies and organizations want to make it available for internal users or specific people.

To turn off public-facing content pages and enable SSO: Navigate to Public Pages (sys_public.list) the for the "view_content" page, set Active to false.

However, there are some pages that need to remain public. e.g. A page that contains the link to the request for password resets. There is a system property that cause the public CMS pages defined as public to enforce the validation of its internal links as public.

How system property glide.ui.cms.enforce_public_pages affecting public pages

This property on sys_property table can be created and set as   "glide.ui.cms.enforce_public_pages" = true (recommended). The value "true" enforces the links defined inside CMS public pages need to be defined on sys_public table as well.

To validate the pages access search on Content management > Pages for pages with 'Content site' is empty. Those are the pages to open and validate the 'read roles'. Then view each page with the "view page" link and take note of all the pages that need to be public or not. The public links need to be added to the sys_public table. Ensure the pages that are configured for public viewing do not include any sensitive information.

See ServiceNow KB: Configuring and Enforcing public CMS pages (KB0547450)   for more detail (Requires a HI login to view)

If the property is not defined or false, the links associated within the public CMS page are consider public. By setting it to "false," it puts you at risk for information disclosure vulnerability.

Public pages are asking for authentication

Prior to introducing this property, public CMS pages will not ask for authentication. With the new property "glide.ui.cms.enforce_public_pages" = true (recommended) in place, if the links within the public CMS pages are not explicitly "public", our system will issue a request for authentication. To make those pages public, you need to set or add a record for the page into the sys_public table with Active set to true.

If you do go the route of setting pages to public, double-check that sensitive pages are left private and explicitly set public pages on sys_public.

For more information on CMS and public pages prompting a login see:

• ServiceNow KB: After SSO is enabled, users without roles are redirected to the ess portal (KB0597978)
• ServiceNow Docs: Redirect to Service Portal after login
• ServiceNow KB: Disabling public Content Management System (CMS) access (KB0546756) (Requires a HI login to view)
• ServiceNow KB: Troubleshooting SAML or SSO issues in ServiceNow (KB0539112)
• Making a Page Public - ServiceNow
• Content Management Security - ServiceNow
• My other blogs