ATF Test Generator and Cloud Runner: Failed to login using certificate - Known Error

ATF Test Generator and Cloud Runner: Failed to login using certificate Description When attempting to validate and authenticate a cloud user for the ATF Test Generator and Cloud Runner, some users receive the message "Failed to login using certificate." This typically occurs for instances with single sign which have customizations to their MultiSSOLogin installation exit that were made before the Quebec release.

In cases where this authentication fails, but the browser does not redirect to an SSO provider, users see the message "Unable to log into the instance. Ensure your Installation Exits scripts allow for mutual authentication login."

Steps to Reproduce

1. Set up MultiSSO on an instance such that it redirects to an external service when login fails. (Eg https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB0777770 )

2. In the MultiSSOLogin sys_installation_exit record for an instance, comment out or remove the lines that accept mutually authenticated connections:

else if (SNC.AuthenticationHelper.isMutualAuth() ) { var userLoginName = user.authenticateMutualAuthToken(); if (userLoginName != null) { SSO_Helper.clearCookie(SNC.SSOUtils.SSOID()); return user.getUser(userLoginName); } }

3. Navigate to "Select Cloud User" and attempt to authenticate a user.

Workaround In order for the ATF Cloud Runner to properly authenticate with the instance, the login installation exits on the instance must be able to authenticate mutually authenticated requests. In order to enable ATF Cloud Runner, users must include recent changes from the Quebec release in their installation exits.

For the Login installation exit (for users without MultiSSO installed), the following if statement was added in the Quebec release:

if (SNC.AuthenticationHelper.isMutualAuth()) { var userLoginName = user.authenticateMutualAuthToken(); if (userLoginName != null) { return user.getUser(userLoginName); } }

For the MultiSSOLogin installation exit, the following if statement was added:

if (SNC.AuthenticationHelper.isMutualAuth() ) { var userLoginName = user.authenticateMutualAuthToken(); if (userLoginName != null) { SSO_Helper.clearCookie(SNC.SSOUtils.SSOID()); return user.getUser(userLoginName); } }

Users may compare their current version with the base system to track differences. To know which installation exit is being used for login purposes, visit the sys_installation_exit table, and first look for records where Overrides=Login. If there are none, look for the record where Name=Login.