How to find the correct X509 certificate from SAML response - Support and Troubleshooting (2024)

The purpose of this article is to provide useful troubleshooting stepsforLDAP connectivity issues. The LDAP Servermight suddenly lose connection after multiple attempts, causingupdates interruption from the Active Directory import process.

One of the possible and most likely reasons is the X509 certificates defined in the instance do not match the ones coming in from the SAML response from the Identity Provider.

The steps below are required in ordertoretrieve the correct certificate value:

1. Navigate tohttps://<instance>.service-now.com/nav_to.do?uri=/syslog_list.do
2. Set the list filter: Message starts with SAML Response xml\r\n
   • Ref.:https://<instance>.service-now.com/syslog_list.do?sysparm_query=messageSTARTSWITHSAML%20Response%20xml
   \r\n
3. Open the latest log record
4. The correct certificate value is between xml tags<ds:X509Certificate> and</ds:X509Certificate>
5. Copy this value, without the xml tags
6. Navigate tohttps://<instance>.service-now.com/nav_to.do?uri=/sys_certificate_list.do
7. Create a new certificate
8. Fill up the required fields and paste the certificate value in the PEM Certificate box using this template:

-----BEGIN CERTIFICATE-----

<certificate value>

-----END CERTIFICATE-----

1. Click Submit

The LDAP server should now connectagain, and the import / update from the AD should work if the issue was an incorrect certificate.