The Now Platform® Washington DC release is live. Watch now!
01-10-2018 12:32 PM
I am unable to genereate metadata from my ServiceNow instance when clicking on the "Generate Metadata" UI Action on a new Identity Provider record.
Steps to reporduce:
I have the Identity Provider set to Active and Default and a valid x.509 Certificate associated with the IDP, however I am still getting nothing returned for metadata.
Solved! Go to Solution.
02-06-2018 04:56 AM
If anyone else is facing this issue and the other replies in this thread didn't help you, then verify that:
1) The Signing/Encryption alias and the password configured on the identity provider config (saml2_update1_properties table) are valid and same as the ones configured on the SAML 2.0 SP keystore record.
2) The system property 'glide.authenticate.sso.saml2.keystore' has a valid sys_id of SAML 2.0 SP keystore record (sys_certificate). The system property might not be updated if you create a custom keystore for SAML/SSO setup or import certificate records from another instance.
Also try running this snippet / SSCCE as a background script - it's extracted from the AJAX scripts that get executed when you click the 'Generate Metadata' button (you can inspect the XMLHttpRequest triggered by that page to find the server side scripts called). If this background script throws an error, then that's your issue and fixing step #2 above should take care of it.
var idpSysId = '<sys-id-of-the-idp-config-record>'; // from the saml2_update1_properties table
var ssoHelper = new SSO_Helper(idpSysId ,false, null, true);
var SAML2 = new SAML2_update1(ssoHelper);
gs.print(SAML2.generateKeyInfoXML());
01-10-2018 02:18 PM
Hello John,
This appears when Sign AuthnRequest checkbox on your identity provider record is true and Signing/Encryption Key Alias and Password fields are empty or incorrect. The default OOB value for Signing/Encryption Key Alias and Signing/Encryption Key Password is saml2sp.
For quick testing purpose, uncheck the Sign AuthnRequest checkbox, save the identity provider record and try generating metadata again, it should help. When it helps then please make sure you have the correct value for Signing/Encryption Key Alias and Password fields when Sign AuthnRequest checkbox is enabled.
Thanks, Lalit
01-11-2018 07:13 AM
I am actually having the same issue. I do not have the Sign AuthRequest box checked. The encryption key alias and password are both correct. Any ideas? There have been no changes made to the SSO config of ServiceNow since we went live almost 5 months ago.
01-18-2018 09:15 AM
Hi Paul,
I would suggest please open an incident in Hi so that we can look into your instance and better assist you.
Thanks, Lalit
01-10-2018 09:49 PM
Hi John,
Did you Check the keystore password. In most of the cases, this is browser dependednt.for example, most of the Mac browsers have this field blank; IE the field has the word "null". sometimes you have to manually entered the field data, and also used the XML file generated by our IdP (Ping Federated). Also, By default SSO uses SAML certificate to make sure the communication is secure between ServiceNow instance and your ADFS server. If you enable the "Sign LogoutRequest" then you need to use another keystore to sign the request which will be sent to your ADFS server. ServiceNow provided an OOB keystore called "SAML 2.0 SP Keystore" on your instance. So the certificate embedded into the metadata in this case is from this keystore. This is to make sure your ADFS server can verify the request is from the trusted Service Provider. No matter if you enable the "Sign LogoutRequest" or not you can always click on [Generate Metadata] button to generate the metadata.
Thanks,
Adi