401 error and infinite loop when loading CMS URL after ExternalAuthentication SSO using SiteMinder


Description

401 error and infinite loop when loading CMS URL after ExternalAuthentication SSO using SiteMinder

 

Problem
There is a 401 error and infinite looping when loading a CMS site after ExternalAuthentication SSO using SiteMinder.  

  

Symptoms
Launching a CMS site URL (for example, https://<instance>.service-now.com/ess) when the instance is integrated with SSO using SiteMinder can cause an infinite loop and 401 unauthorized errors within the Chrome Developer Tool Console:




 
Cause
This issue only occurs when SAML (glide.authenticate.external) is enabled and the specific configuration below is in place:

For the above scenario, the glide.authenticate.failed_requirement_redirect property needs to be set to a static page; otherwise, it goes into the authentication loop.


Warning: The glide.authenticate.failed_requirement_redirect property should be set to the URL of the IdP login page or a company portal page outside of ServiceNow.


Resolution

This issue can be resolved using these steps:

  1. Set view_content to true.
  2. Set glide.authenticate.failed_requirement_redirect to the URL of the IdP login page.

Another possible solution is to use this configuration:

  1. Set the glide.authenticate.failed_requirement_redirect system property to the URL of the IdP login page or a company portal page outside of ServiceNow.
  2. Add the glide.ui.rotate_sessions system property.
    Product documentation reference: https://docs.servicenow.com/csh?topicname=c_HighSecuritySettings.html&version=latest 
  3. Rotate HTTP session identifiers to reduce security vulnerabilities.
    See: https://www.owasp.org/index.php/Session_Management#Rotate_Session_Identifiers
  4. Set Default: Yes

Note: If you are using the SAML 2.0 plugin for single sign-on authentication, set this feature to false. Otherwise, it interferes with the session information sharing that takes place between ServiceNow and the identity provider.