Troubleshooting SAML Errors using Chrome Developer Tools "Network" Trace and SAML Chrome Panel when configuring Multi-Provider SSO in ServiceNow


Description

Multi-Provider SSO has been configured in ServiceNow instance. However, users are unable to log in to the instance with error messages:

Release or Environment

Instructions

Using a Chrome Extension - SAML Chrome Panel

This is an Open Source SAML debugger for Chrome which extends the Developer Tools, adding support for SAML Requests and Responses to be displayed in the Developer Tools window. It operates as another panel in the Chrome Developer Tools section, which monitors the traffic in the current active tab.

Please note: This is Open Source SAML debugger tool and not provided by ServiceNow. Please consult your IT before adding it to Chrome Browser in order to comply with your Company's IT policies.

  • Install the SAML Chrome Panel extension by adding it to Chrome
  • In Chrome, go to More Tools -> Developer Tools (F12)-> Click on "SAML" tab.

  • Reproduce the login issue in the browser and capture and display SAML assertions in the extension
  • This extension can also be enabled in Incognito Mode, to do that, simply right click on the extension -> Manage Extensions -> Turn on "Allow in incognito"

How to capture:

  1. Close Chrome and open a new window in Incognito mode
  2. Open the SAML trace tab in Developer Tools
  3. Paste the instance url
  4. Click on "User external login" and input the credentials if Auto-redirect is not set for the IDP
  5. If SAML SSO works fine, you should get redirected back to ServiceNow Homepage (navpage.do)
  6. If SAML SSO fails, you should check SAML request and Response tab for information
  7. You can export the SAML trace file to a ".json" format file by clicking the "export" button

Using Chrome Developer Tools "Network" Trace

If you are unable to use Chrome Extensions, you can use the built-in Network tab to troubleshoot SAML Responses in the Developer Tools

How to capture:

  1. Close Chrome and open a new window in Incognito mode
  2. Open the Network tab in Developer Tools, make sure "Preserver log" and "Disable cache" are checked
  3. Paste the instance url
  4. Click on "User external login" and input the credentials if Auto-redirect is not set for the IDP
  5. If SAML SSO works fine, you should get redirected back to ServiceNow Homepage (navpage.do)
  6. If SAML SSO fails, click on the red button to stop recording.
  7. You can export the network trace file to a ".har" format file by right clicking on any record and selecting "save all as HAR with Content"

You can provide these files to Support for further analysis.