Announcing the Global SNUG Board of Directors. Learn more here

Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cannot log in with SSO using SAML (Multi-SSO) & ADFS 2.0 (Error 364 & 303)

Go to solution
shawhan1126
Giga Contributor

‎03-07-2016 12:43 PM

We recently upgraded to Geneva Patch 3 and started having issues with our SAML SSO.   We upgraded to Mult-Provider SSO and are still unable to single sign on when going directly to https://instancename.service-now.com however if we navigate to https://adfs.america/adfs/ls/idpinitiatedsignon.aspx and select ServiceNow from the dropdown we can log in.   Error message in ServiceNow when we are unable to log in (No Deep Linking and loginRedirectURL:Null errors).

SN.jpg

On the ADFS server side this is Error 303:

The Federation Service encountered an error while processing the SAML authentication request.

Additional Data
Exception details:
Microsoft.IdentityModel.Protocols.XmlSignature.SignatureVerificationFailedException: MSIS0038: SAML Message has wrong signature. Issuer: 'https://dev.service-now.com'.
    at Microsoft.IdentityServer.Protocols.Saml.Contract.SamlContractUtility.CreateSamlMessage(MSISSamlBindingMessage message)
    at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.CreateErrorMessage(CreateErrorMessageRequest createErrorMessageRequest)
    at Microsoft.IdentityServer.Service.SamlProtocol.SamlProtocolService.ProcessRequest(Message requestMessage)

And this is Error 364: (We get two different versions)

Encountered error during federation passive request.

Additional Data

Exception details:

Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)

    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

    --- End of inner exception stack trace ---

    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)

    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

--------------------------------------------------------------------------------------------------------------------------------------------------------

Encountered error during federation passive request.

Additional Data

Exception details:

Microsoft.IdentityServer.Web.RequestFailedException: An error occurred during the return of an error to the SAML Service Provider. ---> Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)

    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

    --- End of inner exception stack trace ---

    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

    at Microsoft.IdentityServer.Web.Dispatchers.SamlErrorDispatcher.DispatchInternal(PassiveContext context)

    --- End of inner exception stack trace ---

Microsoft.IdentityServer.Web.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)

    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

    --- End of inner exception stack trace ---

    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

    at Microsoft.IdentityServer.Web.Dispatchers.SamlErrorDispatcher.DispatchInternal(PassiveContext context)

System.ServiceModel.FaultException: The creator of this fault did not specify a Reason.

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClientManager.ProcessRequest(Message request)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest(MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.ProcessRequest[T](MSISSamlRequest samlRequest)

    at Microsoft.IdentityServer.Protocols.Saml.Contract.MSISSamlProtocolContractClient.CreateErrorMessage(HttpSamlMessage httpSamlMessage, SamlStatus status)

    at Microsoft.IdentityServer.Web.FederationPassiveAuthentication.SendSamlError(SamlStatus status)

 --------------------------------------------------------------------------------------------------------------------------------------------------------

 

We have tried may different things.   We thought it could be related to the Java keystore which we redid, regenerated the Metadata and recreated the Relying Party trust in the ADFS server.   The strange behavior is that from within the Multi-Provider SSO -> Identity Providers -> SAML2 Update1, we are able to test connection with no errors.   Users are also able to log in with a single click to this URL as well:   https://adfs.americas/adfs/ls/idpinitiatedsignon.aspx?loginToRp=https://company.service-now.com

Any help would be greatly appreciated!

Preview file
227 KB
0 Helpfuls
  • 9,920 Views
1 ACCEPTED SOLUTION

Go to solution
shawhan1126
Giga Contributor

‎03-08-2016 05:54 AM

We have found the solution to this annoying issue.   In the SAML2 Update 1 Properties, you need to uncheck Sign AuthnRequest.   Do Note: By doing this your metadata will be different.   You can either regenerate the metadata and recreate the relying party trust on the ADFS server, or more easily run the following elevated PowerShell commands on the ADFS server after you uncheck the Sign AuthnRequest box in ServiceNow.


set-ADFSRelyingPartyTrust -TargetIdentifier "https://company.service-now.com"-SignedSamlRequestsRequired $false


View solution in original post

0 Helpfuls
3 REPLIES 3

Go to solution
shawhan1126
Giga Contributor

‎03-08-2016 05:54 AM

We have found the solution to this annoying issue.   In the SAML2 Update 1 Properties, you need to uncheck Sign AuthnRequest.   Do Note: By doing this your metadata will be different.   You can either regenerate the metadata and recreate the relying party trust on the ADFS server, or more easily run the following elevated PowerShell commands on the ADFS server after you uncheck the Sign AuthnRequest box in ServiceNow.


set-ADFSRelyingPartyTrust -TargetIdentifier "https://company.service-now.com"-SignedSamlRequestsRequired $false


0 Helpfuls

Go to solution
sravanpinnamane
Mega Expert
In response to shawhan1126

‎09-02-2016 07:35 AM

Hi Shawhan,



We are going to upgrade from SAML 2 single sign on Update 1 to Multi provider SSO for End users use my portal page as public.


I don't know much well about ADFS. We have SAML 2 Single sing on in production instance only not in dev and test.


What steps do i need to take for installing SSO? Would you please let me know the instructions in details. So that i can able to handle it.





Thanks,


Sravan.


0 Helpfuls

Go to solution
shawhan1126
Giga Contributor
In response to sravanpinnamane

‎02-13-2017 12:36 PM

Good Day Sravan, I apologize for the late reply, but were you able to figure out your SAML issue?   If not, the two links should help you get started.


http://wiki.servicenow.com/index.php?title=External_Authentication_(Single_Sign-On_-_SSO)#gsc.tab=0


0 Helpfuls