SAML SSO Login Fails When Attempted by the Edge Proxy URLDescription All login attempts fail when using the Edge Encryption Proxy URL after configuring authentication to take place by SAML Multi-Provider SSO. The instance is also configured to use Edge Proxy. The desire is to make SAML logins function, by the users accessing the system, by the Edge Encryption Proxy URL instance of the instance URL. Symptoms There are two symptoms, one or both of these will be seen in this scenario. (1) After activating "Enable debug logging for the multiple provider SSO integration" from Multi-Provider SSO -> Properties you see the following errors in the log when attempting SAML login: Error TypeError: Cannot convert null to an object. Error SAML2: Could not validate SAMLResponse: no thrown error Error Could not validate SAMLResponse Error SAML2: TypeError: Cannot convert null to an object.: no thrown error (2) You may see a SAML Request sent by the instance in the System Logs -> System Log -> All and/or in the SAML Tracer login extension available for Firefox, for example: SAML Request xml: <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://<edge_encryption_proxy_host>/navpage.do" Destination="https://ncservicenow.onelogin.com/trust/saml2/http-post/sso/502016" ForceAuthn="false" ID="SNCdfc46977cac7033aa13f79c5190e1be2" IsPassive="false" IssueInstant="2017-02-03T13:26:43.810Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="https://<edge_encryption_proxy_host>.service-now.com/navpage.do" Version="2.0"><saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://<edge_encryption_proxy_host></saml2:Issuer><saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"/></saml2p:AuthnRequest> But no SAML Response is sent back by the Identity Provider (IdP) CauseFor Symptom (1) the issue is caused by a misconfiguration of the IdP record. For Symptom (2) the issue is caused by a misconfiguration of the IdP itself.ResolutionTo resolve Symptom (1) configure the IdP record making the following changes, from: ServiceNow Homepage -> https://<instance name>.service-now.com/navpage.do Entity ID / Issuer -> https://<instance name>.service-now.com Audience URI -> https://<instance name>.service-now.com To: ServiceNow Homepage -> https://<edge_encryption_proxy_host>/navpage.do Entity ID / Issuer -> https://<edge_encryption_proxy_host> Audience URI -> https://<edge_encryption_proxy_host> It is necessary to point those three IdP properties to the Edge Encryption hostname or IP address instead of the instance name hostname. To resolve Symptom (2) you must configure the IdP to accept the Edge Encryption <edge_encryption_proxy_host> value that will be appearing in the SAML Requests. As all Identity Providers are different and there are many different vendors, determining exactly what to change is the responsibility of the IdP administrator.