Content Management features within ServiceNow are all the rave with customers. Everyone is interested with building out self service web pages that serve as a beautifully tailored front end to may of their ServiceNow applications. The downside, however, is that those companies using SAML 2.0 have to deal with their CMS rules competing with redirection rules within the SAML 2.0 setup.

One such customer wanted to implement SAML 2.0 along side of CMS. When the user finishes logging into ServiceNow through the SAML mechanisms, they wanted the system to determine that user’s role and redirect them to a specific CMS URL based upon that role, rather that using SAML’s default redirection to the home page.

I decided that this might be something others would like to implement in the future, so I developed a module to administer this along with a script include to provide libraries to facilitate the decisions for the home page redirection.

These changes are included in an update set. I didn’t want the update set modifying the SAML plugin automatically, however, so in combination with the update set, you will be asked to make modifications to the SAML login script manually. It is a simple change, however, and I intend to take you through the easy steps of making the modification.

The Update Set

The attached update set will do the following:

1) Add a “RoleBasedAuthHelper” script include that we will use in the SAML 2 Login Script

2) Creates a table called “Role Based Home Pages” and creates a module for it in the SAML application (See image below). You can specify specific URL’s for a given role. If a user has more than one of the roles in the list, it will obey the Order and use the one with the lower order.

Role Based Home Pages Module

The Role Based Home Pages Module created by the update set

3) Creates a system property to enable/disable debug logging for this feature. The system property is set to false (no debug logging) by default. The name of the property is: “com.snc.integration.saml2.role_based_auth_redir.verbose”.

Modifying the SAML 2 Login Script

Once you have uploaded the update set into your instance, you will want to modify the SAML 2 Login Script to use the role based home page redirection.

To do this, browse to the “Login Script” module of the “SAML 2 Single Sign-on” application. Then do the following:

Modify the “loginUser function”
It will look something like: “loginUser : function (nameId)”

Find these two lines in that function:

1
2
var relayState = request.getParameter("RelayState");
if(relayState){

Add the following code block after the two lines listed above:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
//
// Customized code added to redirect user to home page as decided by role
//  only if the relay state is indicating that there is no
//  deep linking
//
if (relayState == this.serviceURL) {
  var rbah = new RoleBasedAuthHelper(userName);
  var newRelayState = rbah.getRelayStateByRole();
  if (newRelayState) {
    relayState = newRelayState;
  }
}
//
// End of Customized Code Block
//

Process Flow

Let’s talk about what you can expect with this setup. First of all, if a user is coming into the instance by using a Deep Link (eg. clicking on the link to a incident from an email notification) we will not query the role of the user, but instead we will honor the intended destination of the link from the email message.

Second, if the user comes into ServiceNow with an active session, it will not trigger the SAML authentication and thus our logic will not be triggered. We are not modifying the default system navigation functionality.

If the user attempts to go to your ServiceNow instance and they don’t have an active session, the SAML authentication kicks in. Once the SAML authentication is complete and we are getting ready to log the user into the system, our custom code checks to see if SAML is telling us to go to the default home page. If it is, then we query our “Role Based Home Pages” table for any roles that may have default home page urls. The first one we find (according to the ordering rules set by the administrator) will be the url that we set in the SAML Relay State. This will override the request for us to redirect to the home page. The user will instead be redirected to the URL specified by the Role Based Home Page table.

Download the Update Set

WARNING: This update set is quite old and has not been tested with the newest versions of ServiceNow.

Update Set:
Role Based Home Pages with SAML 2.0