The Now Platform® Washington DC release is live. Watch now!

Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Unable to generate metadata from SSO Identity Provider

Go to solution
John Reynolds
Mega Expert

‎01-10-2018 12:32 PM

I am unable to genereate metadata from my ServiceNow instance when clicking on the "Generate Metadata" UI Action on a new Identity Provider record.

 

Steps to reporduce:

  1. Multiprovider SSO -> Identity Providers
  2. New
  3. Import my Identity Provider Metadata via XML and click Save
  4. Click on "Generate Metadata" button (next to "Test Connection")
  5. Opens a new tab with an empty text box that should contain instance metadata  

 

I have the Identity Provider set to Active and Default and a  valid x.509 Certificate associated with the IDP, however I am still getting nothing returned for metadata.

Labels:
  • 7,010 Views
1 ACCEPTED SOLUTION

Go to solution
Hersh D
Mega Expert

‎02-06-2018 04:56 AM

If anyone else is facing this issue and the other replies in this thread didn't help you, then verify that:


1) The Signing/Encryption alias and the password configured on the identity provider config (saml2_update1_properties table) are valid and same as the ones configured on the SAML 2.0 SP keystore record.


2) The system property 'glide.authenticate.sso.saml2.keystore' has a valid sys_id of SAML 2.0 SP keystore record (sys_certificate). The system property might not be updated if you create a custom keystore for SAML/SSO setup or import certificate records from another instance.



Also try running this snippet / SSCCE as a background script - it's extracted from the AJAX scripts that get executed when you click the 'Generate Metadata' button (you can inspect the XMLHttpRequest triggered by that page to find the server side scripts called). If this background script throws an error, then that's your issue and fixing step #2 above should take care of it.



var idpSysId = '<sys-id-of-the-idp-config-record>'; // from the saml2_update1_properties table

var ssoHelper = new SSO_Helper(idpSysId ,false, null, true);

var SAML2 = new SAML2_update1(ssoHelper);

gs.print(SAML2.generateKeyInfoXML());

View solution in original post

7 REPLIES 7

Go to solution
lks
ServiceNow Employee
ServiceNow Employee

‎01-10-2018 02:18 PM

Hello John,



This appears when Sign AuthnRequest checkbox on your identity provider record is true and Signing/Encryption Key Alias and Password fields are empty or incorrect. The default OOB value for Signing/Encryption Key Alias and Signing/Encryption Key Password is saml2sp.



For quick testing purpose, uncheck the Sign AuthnRequest checkbox, save the identity provider record and try generating metadata again, it should help. When it helps then please make sure you have the correct value for Signing/Encryption Key Alias and Password fields when Sign AuthnRequest checkbox is enabled.



Thanks, Lalit


Go to solution
pbostian
Tera Expert
In response to lks

‎01-11-2018 07:13 AM

I am actually having the same issue.   I do not have the Sign AuthRequest box checked.   The encryption key alias and password are both correct.   Any ideas?   There have been no changes made to the SSO config of ServiceNow since we went live almost 5 months ago.


0 Helpfuls

Go to solution
lks
ServiceNow Employee
ServiceNow Employee
In response to pbostian

‎01-18-2018 09:15 AM

Hi Paul,


I would suggest please open an incident in Hi so that we can look into your instance and better assist you.


Thanks, Lalit


0 Helpfuls

Go to solution
Aditya Telideva
ServiceNow Employee
ServiceNow Employee

‎01-10-2018 09:49 PM

Hi John,


Did you Check the keystore password. In most of the cases, this is browser dependednt.for example, most of the Mac browsers have this field blank; IE the field has the word "null". sometimes you have to manually entered the field data, and also used the XML file generated by our IdP (Ping Federated). Also, By default SSO uses SAML certificate to make sure the communication is secure between ServiceNow instance and your ADFS server. If you enable the "Sign LogoutRequest" then you need to use another keystore to sign the request which will be sent to your ADFS server. ServiceNow provided an OOB keystore called "SAML 2.0 SP Keystore" on your instance. So the certificate embedded into the metadata in this case is from this keystore. This is to make sure your ADFS server can verify the request is from the trusted Service Provider. No matter if you enable the "Sign LogoutRequest" or not you can always click on [Generate Metadata] button to generate the metadata.


Thanks,


Adi


0 Helpfuls