Some of my clients have come across an issue with ServiceNow and SAML 2.0. If they perform a successful SingleLogout in SAML, or they cancel out of their SAML login process, they are often returned to the main ServiceNow local login page with an error displayed in red at the top of the page saying:

Could not extract //Subject/NameID from SAMLResponse

I believe this is related to some changes that happened in the June 2011 release with regard to public pages in ServiceNow. The good news is that with a few configuration steps, you can have the browser redirect the user to a specific URL in these events so as to avoid this page and the display of the associated error.

Follow these simple instructions…

In your instance, go to the “Single Sign-on” module under the “System Properties” application.

Set the following fields:

  • When a user attempts to access a page that is private (to view an incident, etc) and SSO credentials are not present, they will be redirected to the URL specified in this property. This is typically set to a customer’s login portal (e.g. http://portal.companya.com):
  • When set to true requires SSO credentials even for the main Service-now login page. Defaults to false. This property needs to be used in conjunction with the ‘glide.authenticate.failed_requirement_redirect’ property.

They will be displayed something like this:

Single Sign On Redirection Properties

  1. In the first field, put the URL where you would like to redirect the user after they click Cancel.
  2. In the bottom property, make sure you type “true” and that will force the page to go to that URL when we come across and error such as the cancel.

Give is a few test runs to make sure everything works as you would expect and then you are good to go!

If you implement these settings, let me know how it works for you. I haven’t been able to test it in many scenarios, so I would like to know if there are any gotchas associated with it.