The Now Platform® Washington DC release is live. Watch now!

Help
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

By pass Login page

ravi1_tandon
Tera Expert

OK Team,

I need some help urgently. One of the customer needs a set of users to automatically get authenticated without using SSO.

Basically the requirement is that a set of users get an email and when they click the email id (which is their user id )is used to check if the user is a valid active user and if yes, he is directly taken to service catalog page bypassing the ./logon.do.
I don't know any ways of doing this without using SSO so my question to the team is:

•Is it something possible?
•If yes, can some please guide me how to solve this puzzle and any script to start with will be a definite help.
Hopefully, I will be able to get some response from the community.

9 REPLIES 9

david_legrand
Tera Guru

Hi Ravi,

It might be possible with a customization (even if i don't have it in head at this moment) but I don't think the customer wants to have a huge security hole like that...

Few example:
1) An email is sent to a group (or a caller and a watch list), will all recipient have an email with the same user_id prefilled in this address?
2) An email is forwarded to someone else (to a subcontractor), so the subcontractor will be able to connect on the instance with the internal user account?
3) You still need passwords (unless if the customer doesn't need passwords), will these passwords attached to the email not encrypted?
4) We do that for everyone, admin included so anyone around the Earth could do everything with the instance

I'm maybe wrong but doing SSO without SSO solution as the requirements say is just a terrible idea on security point of view (and no a restriction by IP addresses isn't enough).
Once, we said to the customer that the users just have to use the "password reminder", so they could connect easily without SSO (they just have to retype the password every time they change it).

Sorry, it might not be the answer you expected but i hope it'll help to not do a mistake (from my point of view)

Best regards,


ravi1_tandon
Tera Expert

Thanks David,

This is exactly what I asked when the requirement was given to me. I agree it will bring some security issues but they want me to look into options. Also I was thinking as the requirement is not for all users, I can set these specific users with specific password (common) and then somehow encrypt it and pass-on in the URL along with the user name (which is the email address of the user). We can create a special flag in sys_user table and set it to true for these users.

Now on ./login.do, if the flag is true then the script will use the encrypted common password and if it is not then it will prompt the user for username and password.

I don't know how and from where to start. Basically developing the prototype model for virtual SSO without using SSO. I am not preaching this practice and I am the first one to oppose, however still will have to try and provide recommendation with the model along with the risk involve to the security team and the expectation is that the prototype should be technically working so it can be tested by security 🙂

I am stuck and don't know where to start from...any help is greatly appreciated.


Jacob_Andersen
ServiceNow Employee
ServiceNow Employee

I shudder to answer this as this should absolutely never be done for security reasons. But to answer your questions and to give you an alternative....

- Can it be done? YES
- How would this be done?
This depends on what SSO solution you're currently using. In short, you will go to the installation exits table and find the active one that overrides ExternalAuthentication. Open that script and you'll find the logic that is used for SSO. You'll need to add a check to that script that detects whether the user ID is passed in the query string. If so, you could simply authenticate the user w/o redirecting to SSO or even having to have the user authenticate himself.

Now, let's explore why this is a terrible idea and another way to accomplish this w/o causing a security hole. By modifying the same installation exit script, you can still detect if the user id was specified. If it is, then simply redirect to the side_door.do page which will bypass SSO and allow the user to enter his local credentials (if he has any).

I hope this makes sense and make sure you explain the security issues to the customer very well :).


david_legrand
Tera Guru

Reminder: All this is purely theoretical as we all strongly recommend to not do it (or please make the CIO/CISO signing a document saying "I understand the risks and i'll take the full responsibility in case of damage")

Jacob: They don't have any SSO solution apparently, I tried to look at the "login / side_door" functions (without SSO) but can't find them at all. Do you know if the code called in the "login page" is directly a java one?
I also though about your idea, activating the SSO plugin and reroute the checking to activate somehow the login without SSO or entering password, don't know if it's totally possible but could be very smart and clever (for a theoretical idea).

Regards,