Common Authentication Issues and How-To KBsSummaryThis KB is a collection of all common Authentication issues and How To KBs which should help our customers in their troubleshooting. Table of Contents Certificate Based AuthenticationLDAP (Authentication & Import)Multi-Provider SSO (Single Sign-on)Multi Factor Authentication (MFA)TroubleshootingTroubleshooting Template Certificate Based Authentication KB0993615 - How to configure Certificate Based Authentication (inbound mutual authentication) in ServiceNowKB1120360 - How to remove a certificate from Load Balancer when discontinue with Certificate Based Authentication?KB1116112 - MID Server Mutual AuthenticationKB1645221 - Implementation Guide: How to Set Up Certificate-Based Authentication LDAP (Authentication & Import) KB0787491 - How LDAP Imports Link Users with Groups (Group Membership)KB0639121 - How to use LDAP filters for Active Directory attributesKB0597756 - How to photos from Active Directory (AD) into ServiceNow using an LDAP Import Multi-Provider SSO (Single Sign-on) KB0960680 - Setup of Azure AD with SSO on ServiceNowKB0725735 - How to setup SSO for Custom URLKB0960602 - How to Configure and Troubleshoot all Custom URL issues.KB0756504 - Upgrade instructions for the New York and later Multi-SSO pluginKB0778203 - Customization support in MultiSSOv2KB0791764 - SAML user provisioningKB0691439 - Replacing an expiring SAML certificateKB0690925 - Servicenow SAML/SSO integration with Miniorange Identity Provider (IdP) Multi Factor Authentication (MFA) KB0859576 - ServiceNow ID Multi-Factor Authentication (MFA) SetupKB0858461 - MFA enabled user is not getting the token page Troubleshooting KB0539111 - Troubleshooting LDAP issues in ServiceNowKB0754219 - LDAP OU shows invalid bind credentials, but LDAP server connection test is successfulKB0869486 - Troubleshooting Oauth access token issues with SpokesKB0952928 - "Get Groups" OOB okta spoke action fails with - Error: Cannot read property "length" from undefinedKB0869486 - Troubleshooting Oauth access token issues with SpokesKB0748960 - Multi Factor Authentication (MFA) does not work with Google Authenticator. Response Invalid ErrorKB1112387 - SSO login does not work with "com.glide.script.RhinoEcmaError: missing ; before statement sys_installation_exit.621bbf531b121100227e5581be071365" errorKB0748198 - How to bypass SSO login in the CSM portalKB0597978 - After SSO is enabled, users without roles are redirected to the ess portalKB0821671 - SSO authentication with Azure Guest accountsKB0823659 - Multi-factor authentication is interfering with SSO pre-San DiegoKB1123566 - On the Polaris page "Enable multi-factor authentication" the field to enter the code is labeled only by placeholder textKB1048088 - MID Server issues for mTLS (mutual authentication/certificate-based authentication)KB0521819 - Enabling Custom Authentication for Non-Interactive SessionsKB1121707 - Firefox browser requires re-authentication with ADFSKB0687717 - SSO users redirected to navpage.do (not sp) through OKTA if they are already logged inKB0622026 - Okta User Provisioning TestingKB0596461 - Troubleshooting Azure user provisioningKB0953708 - OIDC User Provisioning not creating user "User Does not exists and Auto Provisioning is not enabled, aborting user provisioning" .mce-toc { border-style: groove; border-width: 5px; padding: 10px; background-color: #f7f7f7; width: 50% } Troubleshooting Template Kindly provide the following information to assist us in troubleshooting the issue - 1. What type of login is being used? Is it local login / LDAP / SSO? 2. Is MFA enabled on the instance? 3. Is it specific to one user or multiple users are impacted 4. Since when has this issue been reported 5. Can you provide the following for one of the impacted users for us to begin triage - 6. User ID, exact timestamp/timezone of failure ADDITIONAL INFORMATION TO ASK FOR LOCAL LOGIN ISSUES -------------------------------------------------------------------------------------------- 1. Would you want us to disable MFA on instance to allow impacted user to login? 2. Do you have Account Recovery enabled on instance (might be causing issues with local login if SSO is enabled) -------------------------------------------------------------------------------------------- ADDITIONAL INFORMATION TO ASK FOR LDAP LOGIN ISSUES -------------------------------------------------------------------------------------------- 1. Is the LDAP test connection successful? 2. Does the impacted user's record on sys_user table have correct value in the source field and it matches the one in your LDAP? -------------------------------------------------------------------------------------------- ADDITIONAL INFORMATION TO ASK FOR SSO LOGIN ISSUES -------------------------------------------------------------------------------------------- 1. Can you provide information about the IDP which the user is supposed to be authenticated with? 2. Kindly ensure glide.authenticate.multisso.debug is enabled on the instance. If this is not enabled, you are requested to enable the same and then share the information about failed login timestamp/timezone and user id 3. If you are using multiple identity providers, is the sso source field configured to reflect the accurate IDP being used to authenticate the user