Errors for which to validate your Multiple-Provider single sign-on configurationIssue When authenticating with SAML, some errors will appear on the system logs (syslog) and localhost on your instance. If you have Multiple-provider single sign-on (SSO) active on your instance, the followings are the most common errors found: Errors in instance localhost or the system logs (syslog)# Assertion audience mismatch. Expect: <value on instance>, actual: <value returned by IdP> Assertion is expired, now: <now>, notOnOrAfter: <notOnOrAfter> Assertion is valid in the future, now: <now>, notBefore: <notBefore> Assertion issuer is invalid. Expect: <value on instance>, actual: <value returned by IdP> Attachment is missing for certificate from DB: SAML 2.0 SP Keystore. AudienceRestriction validation failed. No matching audience found. Certificates don't match. Expect: <certStr>, actual: <inboundCert> Could not find a digital signature stored in the ServiceNow instance. Failure to check the validity of the certificate. Failure to validate signature profile. Index: 0 Could not validate SAMLResponse SAMLResponse may contain <xenc:CipherData>...</xenc:CipherData> in the XML payload. InResponseTo attribute in SubjectConfirmationData mismatch. Expect: <inResponseTo>, actual: <inResponseTo>. InvocationTargetException: javax.security.cert.CertificateException: Could not parse certificate: java.io.EOFException: Detect premature EOF. InvocationTargetException: javax.security.cert.CertificateException: Could not parse certificate: java.io.IOException: DerInputStream.getLength(): lengthTag=127, too big. No valid SubjectConfirmation found. NotAfter: <Thu Jun 05 22:57:44 PDT 2014> org.xml.sax.SAXParseException: Content is not allowed in prolog SAML2ValidationError: Signature did not validate against the credential's key. SessionIndex value not found: <message>... Subject is expired. Now: <now>, NotOnOrAfter: <notOnOrAfter> Subject is valid in the future. Now: <now>, NotBefore:<notBefore> Unable to locate SAML 2.0 certificate Additional Error Messages for which you can contact your IdP with confidence: Common login or Identity Provider (IdP) Errors when they do not like the SAML request sent Authentication fails and the login request generates an infinite loop between the system and the IdP (e.g. when High Security is active on the IdP). SAML request are signed with a rsa-sha256 algorithm while the instance is expecting rsa-sha128, or the opposite. Check the IdP Alert Context tab for event details. The signature algorithm looks like http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 or http://www.w3.org/2000/09/xmldsig#rsa-sha1. The SAML response contains urn:oasis:names:tc:SAML:2.0:status:Responder To review the errors on the system logs: Enable MultiSSO debug. On sys_properties, create or set the value for record glide.authenticate.multisso.debug to trueOn your instance system logs (syslog), search for records created today and the Source start with SAML. Note: This is typical search for errors on the logs:<instance>/syslog_list.do?sysparm_query=sys_created_onONToday%40javascript%3Ags.beginningOfToday()%40javascript%3Ags.endOfToday()%5EsourceSTARTSWITHSAML%5Elevel!%3D0CauseMost of those errors are caused by missed configurations on the instance Multiple-Provider Single sign-on (SSO) components on either the instance or the IdP provider, certificate changes or cookies stored on the browser, etc.ResolutionLog in to the instance using a local administrator account. Then use the "Test connection" button on the Identity provider (IdP) record for the Multi-Provider SSO records (sso_properties table). Use the login credentials of the user experiencing the problem. This will provide more details of the area of the problem. Note: If you are having authentication problems after a clone, please have a look at KB KB0657100