User Logged Out Immediately after SSO IdP Authentication via OIDC, OAuthProblemException access_denied in Logs


If there's a problem with the OIDC IdP configuration that prevents the instance from being able to connect to the IdP via OAuth, the user will be 'logged out' of the ServiceNow instance immediately after successful authentication with the OIDC IdP. Note that the user being logged out immediately after successful authentication is a general symptom of ServiceNow<->IdP integration problems, you need to check the logs for this particular issue (raise a case with ServiceNow support).

Release or Environment

Paris release and newer


In Multi-Provider SSO->Administration->Properties make sure debug logging is on. Do a test login attempt to reproduce the issue. Then search in the logs for lines similar to this (customers can get the logs via Node Log File Download, but often it's better to open a case and have ServiceNow support do this):

2021-08-12 18:52:15 (944) Default-thread-12 9F65DEB3DB313CD02B8B2637059619EE txid=7885d2f7db31 OUTBOUND_HTTP: protocol=HTTP/1.1 response_status=401 response_time=565 request_length=280 response_length=60 app_scope=global session_id=9F65DEB3DB313CD02B8B2637059619EE transaction_name="#1611233 /" transaction_id=7885d2f7db313cd02b8b2637059619a3 user_name=guest mid_server= source_table=sys_installation_exit source_record=1125a5720b21230001d36c4d37673a7d method=POST log_level=Basic scheme=https path=/oauth/token url=
2021-08-12 18:52:15 (946) Default-thread-12 9F65DEB3DB313CD02B8B2637059619EE txid=7885d2f7db31 OAuthProblemException{error='access_denied', description='Unauthorized', uri='null', state='null', scope='null', redirectUri='null', responseStatus=0, parameters={}}


If this is confirmed as the issue check that the Client ID and Client Secret values on the OAuth OIDC Entity[oauth_oidc_entity] record associated with the OIDC IdP record are the correct values (the admin or vendor of your IdP will be able to confirm the correct values).

Additional Information

For SSO IdP authentication via OIDC to work you may need to be on v2 of the Multi-Provider SSO plugin. Instructions to upgrade: Upgrade instructions for the New York Multi-SSO plugin