Multi-provider SSO V2 with Edge Encryption Proxy - Support and Troubleshooting

Multi-provider SSO V2 with Edge Encryption Proxy Issue This article explains the necessary changes to be made in MultiSSOv2 Installation Exit script when using SSO v2 with Edge Encryption.

NOTE: This is applicable when using Edge Encryption in any of the following situation:

a) Upgrading from Multi-provider SSO V1

b) New implementation of Multi-provider SSO V2

Release New York and Later

Cause You see the following in logs:

WARNING *** WARNING *** SAML2: Assertion audience mismatch. Expected: https://instance.service-now.com, Actual: https://edge_enctryption_url:port_number SEVERE *** ERROR *** SAML2: SAML2ValidationError: AudienceRestriction validation failed. No matching audience found. SEVERE *** ERROR *** SAML2: Could not validate SAMLResponse Resolution Make the following changes to Installation Exit - MultiSSOv2:

FROM:

getIdPRecord: function(req) { var multiSSO = new SNC.GlideMultiSSO(); return multiSSO.resolveSSORecord(); } TO:

getIdPRecord: function(req) { var sso_id = SSO_Helper.getHeaderOrCookie(SNC.SSOUtils.SSOID()); var propGR = GlideSession.get().getProperty("test_saml_connection_gr"); if (sso_id) { var ssoBase = new GlideRecord("sso_properties"); ssoBase.addActiveQuery(); ssoBase.addQuery("sys_id", sso_id); ssoBase.queryNoDomain(); if (ssoBase.next()) { propGR = new GlideRecord(ssoBase.sys_class_name); propGR.addActiveQuery(); propGR.addQuery("sys_id", sso_id); propGR.queryNoDomain(); if (propGR.next()) { return propGR; } return null; } } } References:

How to implement Multiple Provider Single Sign-On v1 including an Edge Encryption Proxy URL login