If Multi-SSO is installed, check SAML installations exits are inactive
Setting SSO is incredibly popular. Multi-SSO features flexibility and security in a incredible simplified interface. On this blog I want to talk about a problem that can happens after upgrading to Multi-SSO from an earlier version where some old scripts will remain active when they should be disabled. That is a rough idea thought.
Lets talk about:
- Multi-SSO and Installation exits
- Multi-SSO installation exit problem
- Solution to the Multi-SSO Installation exit problem
Multi-SSO and Installation exits
The multiple provider single sign-on feature allows organizations to use several SSO identity providers (IdPs) to manage authentication as well as retain local database (basic) authentication.
Installation exits are customizations that exit from Java to call a script before returning back to Java. They are usually related to login, logout, validate password and external authentication. That is why I think of them as "doorman scripts." Installation exists are located on System Definition > Installation Exits. Some installation exits can be overrode with a custom script that replaces the script in the default installation exit.
Each SSO plugin comes with its own installation exits.
When Multi-SSO is installed is comes with its own installation exits, the previous SAML installation exits are not longer required and the system will make them inactive.
Multi-SSO Installation exit problem
After enabling Multi-SSO, some SSO validations may fail if the Multi-SSO installation scripts do not execute first.
There are some exceptional cases where some SAML* installation exits remain active (incorrectly) after the Multi-SSO plugin is installed.
e.g. If SAML is already active at the time you activated Multiple Single Sign-On and if you already customized the SAML installation exits.
This could cause the logs will show the following errors:
WARNING *** WARNING *** Evaluator: org.mozilla.javascript.EcmaError: Cannot convert null to an object.
Caused by error in Script Include: 'SAML2_update1' at line 35
32: this.lastGeneratedRequestID = null;
33: this.inResponseTo = null;
34: this.logoutFailureEventId = "saml2.logout.validation.failed";
==> 35: this.certGR = this.getCertGR();
36:
37: // Keep SAMLAssertion object for validation
38: this.SAMLResponseObject = null;
Solution to the Multi-SSO Installation exit problem
To resolve the problem, if Multi-SSO is installed correctly, validate the following installation exits have Active set to False:
| Installation exit | Active | |
|---|---|---|
| SAML2Logout | = | false |
| SAML2Logout_update1 | = | false |
| SAML2SingleSignon | = | false |
| SAML2SingleSignon_update1 | = | false |
| MultiSSO | = | true |
| MultiSSOLogin | = | true |
| MultiSSOLogout | = | true |
Here is the result:
In conclusion, after installing Multi-SSO plugin, check SAML installation exits are disabled as it will save you time on troubleshooting. However, do not stop there. If other scripts have been customized, the similar steps apply. e.g. script includes, business rules, etc. versions need to be updated to the most current script manually.
Check out my other blogs, as I have also discussed about email notifications and SSO.
More information here:
Thanks chris.beltran
https://www.servicenow.com/community/itsm-blog/if-multi-sso-is-installed-check-saml-installations-exits-are/ba-p/2268232