User Logged Out Immediately after SSO IdP Authentication via OIDC, OAuthProblemException access_denied in Logs


Description

If there's a problem with the OIDC IdP configuration that prevents the instance from being able to connect to the IdP via OAuth, the user will be 'logged out' of the ServiceNow instance immediately after successful authentication with the OIDC IdP. Note that the user being logged out immediately after successful authentication is a general symptom of ServiceNow<->IdP integration problems, you need to check the logs for this particular issue (raise a case with ServiceNow support).

Release or Environment

Paris release and newer

Cause

In Multi-Provider SSO->Administration->Properties make sure debug logging is on. Do a test login attempt to reproduce the issue. Then search in the logs for lines similar to this (customers can get the logs via Node Log File Download, but often it's better to open a case and have ServiceNow support do this):

2021-08-12 18:52:15 (944) Default-thread-12 9F65DEB3DB313CD02B8B2637059619EE txid=7885d2f7db31 OUTBOUND_HTTP: protocol=HTTP/1.1 response_status=401 response_time=565 request_length=280 response_length=60 app_scope=global session_id=9F65DEB3DB313CD02B8B2637059619EE transaction_name="#1611233 /navpage.do" transaction_id=7885d2f7db313cd02b8b2637059619a3 user_name=guest mid_server= source_table=sys_installation_exit source_record=1125a5720b21230001d36c4d37673a7d system_id=app130024.ycg3.service-now.com:examplecom010 method=POST log_level=Basic scheme=https hostname=example.com.oidc-idp.com path=/oauth/token url=https://example.com.oidc-idp.com/oauth/token
2021-08-12 18:52:15 (946) Default-thread-12 9F65DEB3DB313CD02B8B2637059619EE txid=7885d2f7db31 OAuthProblemException{error='access_denied', description='Unauthorized', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}


Resolution

If this is confirmed as the issue check that the Client ID and Client Secret values on the OAuth OIDC Entity[oauth_oidc_entity] record associated with the OIDC IdP record are the correct values (the admin or vendor of your IdP will be able to confirm the correct values).

Additional Information

For SSO IdP authentication via OIDC to work you may need to be on v2 of the Multi-Provider SSO plugin. Instructions to upgrade: Upgrade instructions for the New York Multi-SSO plugin