SSO login failure after replacing x509 certificateIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } After replacing the x509 certificate on the Identity Provider (IdP) side for SAML-based Single Sign-On (SSO), users are unable to log in to the ServiceNow instance. Symptoms<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Users cannot log in to the ServiceNow instance via SSO after an x509 certificate replacement on the IdP.The following error message is observed in the browser or SSO logs: AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. SSO login succeeds when using a private/incognito browser window in some cases, suggesting a cached session or configuration conflict.The test connection on the Identity Provider record may show as successful, yet browser-based SSO login still fails. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Zurich Patch 7 Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } The error originates on the Identity Provider (IdP) side; specifically, Microsoft Azure AD / Entra ID. When ServiceNow sends a SAML authentication request, it includes an AuthnContextClassRef value that tells the IdP what authentication method is required. The out-of-the-box value in ServiceNow is: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport After the x509 certificate replacement, the authentication method recorded for the user session on the Azure AD side might be changed to certificate-based or multifactor authentication (classified asX509, MultiFactor, or X509Device). Azure AD then rejected the SAML request because the user's actual authentication method did not match thePasswordProtectedTransport context that ServiceNow was demanding in its AuthnRequest Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Step 1 - Identify the authentication context mismatch Review the error message returned during the failed SSO login. If the error is: AADSTS75011: Authentication method 'X509, MultiFactor, X509Device' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'. This confirms that Azure AD is rejecting the SAML request because the authentication method used by the user does not satisfy the AuthnContextClassRef value that ServiceNow is sending in its AuthnRequest. Step 2 - Update the AuthnContextClassRef in the ServiceNow Identity Provider record Navigate to Multi-SSO>Identity Providers. Open the relevant Identity Provider record.Locate the AuthnContextClassRef field in the Advanced Tab section. The Out-of-box (OOB) value will be: urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransportChange the value to: urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified This tells Azure AD to accept any valid authentication method, removing the strict PasswordProtectedTransport requirement from the SAML AuthnRequest. Save the record.Click Test Connection to validate.Click Activate to apply the configuration. Step 3 - Test SSO login Open a new browser session (not a private/incognito window) and attempt to log in via SSO to confirm the issue is resolved. Step 4 - Coordinate with the IdP team Check with the IdP/Azure AD team to confirm whether the authentication method change was intentional after the certificate replacement. Two outcomes are possible: If the change was intentional (e.g., the organization moved to certificate-based or MFA authentication): retain the unspecified value in the ServiceNow Identity Provider record as the permanent fix.If the change was unintentional: the IdP team should restore the authentication method to password-based (PasswordProtectedTransport), and the ServiceNow Identity Provider record should be reverted to the out-of-box value accordingly.