Users logged in via SSO are redirected to "saml_cert_error" page after session timeout - Support and Troubleshooting

Users logged in via SSO are redirected to "saml_cert_error" page after session timeout Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } After Zurich release , users are redirected to "saml_cert_error" after session timeout.

sysparm_url=external_logout_complete.do?sysparm_error=saml_cert_error This is related to SAML certificate validation prematurely is being set error flag on first certificate failure.

Steps to Reproduce:

1. Configure SAML SSO with multiple certificates in the certificate list 2. Ensure the first certificate in the list will throw an exception during validateSignature() 3. Ensure a subsequent certificate in the list is valid 4. Attempt SAML login 5. Observe that SAML_CERT_ERROR is set in the HTTP session even though a valid certificate exists and validation should succeed

Symptoms .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Expected Behavior The error flag should only be set after the loop completes if ALL certificates fail validation.

Actual Behavior The error flag is set on the first certificate that throws an exception, even though the loop continues to try remaining certificates.

Impact - Incorrect error state in HTTP session - Misleading error reporting when multiple certificates are configured - Valid certificates may exist but error is already flagged from earlier failures - Affects SAML SSO authentication flows with multiple certificate configurations

Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Zurich

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Enabling multi SSO debug ,you will see the validated certificate and as a workaround , it is suggested to keep this validated certificate and deassociate/inactivate the other ones from the associated certificates of the IdP record in the instance.

2026-XX-XX 01:39:12 (308) Default-thread-38 XXXXXXX txid=XXXXXXX SysLog SAML2: Validating SAML response against the certificate : https://XXXXXXX(opens in new tab) host = XXXXXXX.XXXXXXX.service-now.comsource = /XXXXXXX/glide-zurich-07-01-2025__patch6-01-16-2026/XXXXXXX/localhost_log.2026-03-11.txtsourcetype = appnode_localhost_log localhost

2026-XX-XX 01:39:12 (317) Default-thread-38 XXXXXXX txid=XXXXXXX SysLog SAML2: Signature validated. host = XXXXXXX.XXXXXXX.service-now.comsource = /XXXXXXX/glide-zurich-07-01-2025__patch6-01-16-2026/XXXXXXX/localhost_log.2026-03-11.txtsourcetype = appnode_localhost_log localhost

2026-03-11 01:39:12 (318) Default-thread-38 XXXXXXX txid=XXXXXXX SysLog SAML2: Step 1/5: Signature validation is successful There is a problem currently being reviewed PRB2003653