Change ACS Proxy for SNOW

Hi,

https://help.okta.com/en/prod/Content/Topics/Apps/CASB-config-guide.htm

I am trying to follow the above guide and update the ACS proxy settings for a service-now app I have configured.

It says the update has gone through but nothing happens (Get doesn’t show changes, also URL is not proxied)

Screen Shot 2021-06-28 at 3.01.34 PM2694×1350 480 KB

PUT DATA:

{
    "label": "Service Now",
    "name": "amiyadas3_servicenow_1",
    "signOnMode": "SAML_2_0",
    "settings": {
      "app": {
      },
      "signOn": {
        "acsEndpoints": [],
        "allowMultipleAcsEndpoints": false,
        "assertionSigned": true,
        "defaultRelayState": "defaultRelayStateOverride",
        "ssoAcsUrlOverride": "https://portal.us.bitglass.net/sso/acsproxy/?bitglass_continue=https://dev102516.service-now.com/navpage.do",
        "audienceOverride": "https://portal.us.bitglass.net/sso/acsproxy/?bitglass_continue=https://dev102516.service-now.com/navpage.do",
        "recipientOverride": "https://portal.us.bitglass.net/sso/acsproxy/?bitglass_continue=https://dev102516.service-now.com/navpage.do",
        "destinationOverride": "https://portal.us.bitglass.net/sso/acsproxy/?bitglass_continue=https://dev102516.service-now.com/navpage.do",
        "attributeStatements": [],
            "audience": "https://dev102516.service-now.com",
            "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
            "defaultRelayState": "",
            "destination": "https://dev102516.service-now.com/navpage.do",
            "digestAlgorithm": "SHA256",
            "honorForceAuthn": false,
            "idpIssuer": "http://www.okta.com/${org.externalKey}",
            "inlineHooks": [],
            "recipient": "https://dev102516.service-now.com/navpage.do",
            "requestCompressed": false,
            "responseSigned": true,
            "signatureAlgorithm": "RSA_SHA256",
            "slo": {
                "enabled": false
      },
        "spIssuer": null,
        "ssoAcsUrl": "https://dev102516.service-now.com/navpage.do",
        "subjectNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
        "subjectNameIdTemplate": "${user.userName}"
    }
  }},

Response Data:

{
    "id": "0oa5cz7xwCr3yrVxp695",
    "name": "amiyadas3_servicenow_1",
    "label": "Service Now",
    "status": "ACTIVE",
    "lastUpdated": "2021-06-28T22:44:02.000Z",
    "created": "2021-06-28T18:25:35.000Z",
    "accessibility": {
        "selfService": false,
        "errorRedirectUrl": null,
        "loginRedirectUrl": null
    },
    "visibility": {
        "autoSubmitToolbar": false,
        "hide": {
            "iOS": false,
            "web": false
        },
        "appLinks": {
            "amiyadas3_servicenow_1_link": true
        }
    },
    "features": [],
    "signOnMode": "SAML_2_0",
    "credentials": {
        "userNameTemplate": {
            "template": "${source.email}",
            "type": "BUILT_IN"
        },
        "signing": {
            "kid": "F42UgPMIA83JVM_-9jJda5VyM4Oxp27FtchZ1YAaaZY"
        }
    },
    "settings": {
        "app": {},
        "notifications": {
            "vpn": {
                "network": {
                    "connection": "DISABLED"
                },
                "message": null,
                "helpUrl": null
            }
        },
        "signOn": {
            "defaultRelayState": "",
            "ssoAcsUrl": "https://dev102516.service-now.com/navpage.do",
            "idpIssuer": "http://www.okta.com/${org.externalKey}",
            "audience": "https://dev102516.service-now.com",
            "recipient": "https://dev102516.service-now.com/navpage.do",
            "destination": "https://dev102516.service-now.com/navpage.do",
            "subjectNameIdTemplate": "${user.userName}",
            "subjectNameIdFormat": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress",
            "responseSigned": true,
            "assertionSigned": true,
            "signatureAlgorithm": "RSA_SHA256",
            "digestAlgorithm": "SHA256",
            "honorForceAuthn": false,
            "authnContextClassRef": "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport",
            "spIssuer": null,
            "requestCompressed": false,
            "attributeStatements": [],
            "inlineHooks": [],
            "allowMultipleAcsEndpoints": false,
            "acsEndpoints": [],
            "slo": {
                "enabled": false
            }
        }
    },
    "_links": {
        "help": {
            "href": "https://amiyadas3-admin.okta.com/app/amiyadas3_servicenow_1/0oa5cz7xwCr3yrVxp695/setup/help/SAML_2_0/instructions",
            "type": "text/html"
        },
        "metadata": {
            "href": "https://amiyadas3.okta.com/api/v1/apps/0oa5cz7xwCr3yrVxp695/sso/saml/metadata",
            "type": "application/xml"
        },
        "appLinks": [
            {
                "name": "amiyadas3_servicenow_1_link",
                "href": "https://amiyadas3.okta.com/home/amiyadas3_servicenow_1/0oa5cz7xwCr3yrVxp695/aln5dn3op1CMdF9jL695",
                "type": "text/html"
            }
        ],
        "groups": {
            "href": "https://amiyadas3.okta.com/api/v1/apps/0oa5cz7xwCr3yrVxp695/groups"
        },
        "logo": [
            {
                "name": "medium",
                "href": "https://ok14static.oktacdn.com/assets/img/logos/default.6770228fb0dab49a1695ef440a5279bb.png",
                "type": "image/png"
            }
        ],
        "users": {
            "href": "https://amiyadas3.okta.com/api/v1/apps/0oa5cz7xwCr3yrVxp695/users"
        },
        "deactivate": {
            "href": "https://amiyadas3.okta.com/api/v1/apps/0oa5cz7xwCr3yrVxp695/lifecycle/deactivate"
        }
    }
}

@asingh Hi, not sure how you updated it.
Could you please open a support ticket through an email to support@okta.com. One of our TSE will help you review the configuration.

I have a case open, for 2 days, with no response

@asingh Was it assigned to someone? Do you have AE in the case?

yes, thanks for your help, finally got a response to schedule a troubleshooting call

It is glad to know you have a meeting scheduled.

I had this same issue, what I discovered is that as long as the app includes the parameter, then the PUT updates the value, if the application does not include the Override parameter, then it completes with a 200, but it doesn’t add the parameter. However, I have no idea what determines if the application has the parameter or not initially.

when you say if the application has the parameter, you mean when you do the initial get it should show these 4 values?

https://help.okta.com/en/prod/Content/Topics/Apps/CASB-config-guide.htm

"signOn": { "defaultRelayState": "defaultRelayStateOverride", "ssoAcsUrlOverride": "https://casb-provider.com/ssoAcsUrlOverride", "audienceOverride": "https://casb-provider.com/audienceOverride", "recipientOverride": "https://casb-provider.com/recipientOverride", "destinationOverride": "https://casb-provider.com/destinationOverride"

How were you able to resolve the issue?

Exactly, if it shows on the output from the initial get with a null value or some other value, then it will update. I am testing with applications that have at least one of the parameters and skipping the one that does not, until Okta can let me know what triggers some applications to have it and others not.

Thanks, got it to work with SalesForce as the initial get showed the values to be present!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.