ServiceNow (SP-initiated) integration guide

Updated April 20, 2020

Use this guide to enable multi-factor authentication and single sign-on (SSO) access via SAML to ServiceNow.

Prerequisites

  • Have a ServiceNow account.

  • SecureAuth Identity Platform version 9.x or later, with a new realm created for the integration with ServiceNow.

  • Configure the following tabs in the Web Admin before configuring the Post Authentication tab: Overview, Data, Workflow, Multi-Factor Methods

Identity Platform Classic Web Admin configuration steps

  1. Go to the Data tab.

  2. In the Profile Fields section, map the directory field that contains the user's ServiceNow ID to the Identity Platform Property.

    For example, add the ServiceNow ID Field to the Email 2 Property if it is not already contained somewhere else.

  3. Save your changes.

  4. Go to the Post Authentication tab.

  5. In the Post Authentication section, set Authenticated User Redirect to SAML 2.0 (SP-initiated) Assertion.

    An unalterable URL is auto-populated in the Redirect To field, which appends to the domain name and realm number in the address bar (Authorized/SAML20SPInit.aspx)

    A customized post authentication page can be uploaded, but is not required.

    60567899.png
  6. In the User ID Mapping section, set the following:

    User ID Mapping

    Set to the Identity Platform property that corresponds to the directory field that contains the ServiceNow ID.

    For example, the property is set to Email 2. The Email 2 setting is mapped to the ServiceNow ID on the Data tab in Step 2.

    Name ID Format

    Leave the default value as urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

    If required by ServiceNow, choose the option supplied by the Service Provider (SP).

    Encode to Base64

    Set to False.

    UserIDMapping.png
  7. In the SAML Assertion / WS Federation section, set the following:

    WSFed/SAML Issuer

    Set to unique name that is shared with ServiceNow.

    For example, https://secureauthfqdn/Secureauthxx/

    The WSFed/SAML Issuer must match exactly on the Identity Platform side and the ServiceNow side.

    SAML Audience

    Set to https://<company>.service-now.com.

    SP Start URL

    Provide the starting URL to enable SSO and to appropriately redirect users to access ServiceNow.

    For example, https://<company>.service-now.com

    SAML Offset Minutes

    Set the minutes to account for time differences between devices.

    SAML Valid Hours

    Time limit that the SAML assertion is valid.

    60567906.png
  8. No configuration is required for the WSFed Reply To/SAML Target URL, SAML Consumer URL, or SAML Recipient fields.

  9. Leave the Signing Cert Serial Number as the default value, unless using a third-party certificate for the SAML assertion.

    If using a third-party certificate, click Select Certificate and choose the appropriate certificate.

    ServiceNow requires the certificate to be in privacy-enhanced mail (PEM) format.

  10. If required, provide the Domain so you can download the metadata file to send to ServiceNow.

    60567910.png
  11. Save your changes.

Optional configuration settings

ServiceNow configuration steps

  1. In the ServiceNow Admin Console, navigate to Multi-Provider SSO and select Identity Providers. Click New.

    60567911.png

    If you will activate the Multi-Provider SSO plugin in your instance, follow the steps in Activate multiple provider single sign-on on the ServiceNow website.

  2. In the What kind of SSO are you trying to create section, click SAML.

    60567912.png
  3. Configure the ServiceNow Identity Provider by importing the metadata that you downloaded in the Identity Platform configuration.

    On the Identity Provider New record page, an Import Identity Provider Metadata pop-up is displayed.

    1. Select XML and paste the XML content you copied in the Identity Platform configuration in Step 10.

    2. Click Import.

      The required fields will be automatically populated.

    60567913.png
  4. Activate the imported Identity Provider settings.

    1. Scroll down and select the Advanced tab. Check that User Field is set to email.

    2. Click Test Connection.

    3. Click Activate.

    60567915.png
  5. Set email as the user identification value.

    1. On the left side, navigate to Multi-Provider SSO > Identity Providers > Properties

    2. Check that Enable multiple provider SSO is set to Yes.

    3. Change user_name to email in the user identification field so that users accessing the "User identification" login page are identified by email.

    4. Save your changes.

    60567916.png

Change the signing certificate

The certificate is set up automatically when the ServiceNow integration imports the Identity Platform metadata, which includes the certificate.

If you need to change the signing certificate, you must do so manually. See the steps for installing a certificate for a generic identity provider in Install the identity provider certificate on the ServiceNow website.

Note

Only one certificate can be used at a time. To change the certificate, replace it rather than adding the new one.