I'm posting this article about how we got SAML logout working properly between ServiceNow and our ADFS, using the Multiple-Provider SSO plugin. For the longest time, we had ADFS SAML authentication working for ServiceNow, but SAML logout was never working properly. ServiceNow would appear to log out, however, that session and subsequent sessions were never terminated properly. As a result, we had to place ServiceNow in a separate access policy in our ADFS instance, which meant we could not take advantage of SSO between ServiceNow and our other ADFS services. ServiceNow's documentation on configuring SAML and ADFS is not 100% clear and straightforward, and so I'm hoping this information may help others who might be experiencing issues getting logout to work as it should.

With help from Microsoft support, we were finally able to get SAML logout working properly between ADFS and ServiceNow. Bear in mind that one organization's ServiceNow and/or ADFS configuration is going to be different from another organization, so these steps may not always apply. With that being said, here is what we did.

1. Microsoft recommended that the SAML logout requests be signed, as this is a requirement of SAML 2.0 specifications. Thus, we enabled the Sign LogoutRequest option under our ADFS identity provider in ServiceNow.
2. However, by default (at least on our instance, not sure if this has changed in newer versions of ServiceNow), the SAML logout requests were signed with SHA-1, which our ADFS would not accept as it was not secure enough. As a result, we had to enable the SAML 2.0 Keystore_Key2048_SHA256 SHA-256keystoreunder x509 Certificate within the Multi-Provider SSO menu.
3. We then set the system property glide.authenticate.sso.saml2.keystore to the sys_id of that SHA-256 keystore, to set it as the default keystore for signing identity provider SAML requests.
4. We set the Identity Provider's SingleLogoutRequest field to be https:///adfs/ls where is our ADFS server address, although this came in from our ADFS federated metadata. We had seen some posts where people said to set this to the WSFED logout URL, ending in ?wa=wsignout1.0, which is not correct for SAML.
5. You may need to set the credentials for the Signing/Encryption Key Alias and Signing/Encryption Key Alias on the ADFS identity provider in ServiceNow. I believe the default value for each is: saml2sp
6. We then set the Signing Signature Algorithm to be the SHA-256 specification which is http://www.w3.org/2001/04/xmldsig-more#rsa-sha256 - note that ServiceNow documentation says to use SHA-1, however, we went with the more secure SHA-256 which still seems to work fine. You just need to double check that SHA-256 is also set on the Relaying Party Trust on the ADFS side.
7. Once all that is set, we then used the Generate Metadata button in ServiceNow for the identity provider, to generate the XML for importing into ADFS.
8. On the ADFS side, once we imported the XML, confirmed SHA-256 was set, and confirmed that the Signature was populated with the SAML certificate from ServiceNow, everything started to work.
9. Another thing to confirm on the ServiceNow Relaying Party Trust in ADFS is that the SAML logout endpoint for your ServiceNow instance is https://.service-now.com/navpage.do - the SAML logout endpoint URL should be a URL pointing to ServiceNow, and it should not be an ADFS URL as one of the ServiceNow SAML documentation pages suggests. The page suggests the WSFED ADFS signout URL I mentioned above, which is not correct. I have also seen many other posts on the Internet about using the WSFED URL for SAML logout, which is incorrect.

We spent quite a lot of time trying to get this to work, so I hope this is helpful to anyone in a similar situation! I'm also not a SAML engineer so hopefully I got all my terminology correct

Cheers,

Steve

Labels:

• Best Practices
• Platform and Cloud Security