Skip to main content

ServiceNow SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Arculix by SecureAuth, as a SAML provider, improves the user login experience for ServiceNow users with convenient MFA, and offers a simple SAML solution for adding MFA and single sign-on (SSO) to ServiceNow users.

Prerequisites

  • Configured Arculix instance and user account with administrative privileges for Arculix.

  • Configured Arculix LDAP Agent.

    For more information, see the Arculix LDAP Agent deployment guide.

  • User account with administrative privileges for ServiceNow.

    • Ensure that you have a user account that has an admin role before enabling SAML. To configure a user as an admin, login to your ServiceNow instance and select System Security > Users.

    • Select a specific user and at the bottom section of the page, under Roles, select edit.

    • In the Collection field type admin, select the right arrow, and then Save.

    • To verify that your user is an admin, from the System Administrator menu, select Impersonate User . Enter the user you have promoted to admin.

      servicenow_impersonate.png
    • Access the privileged operations options, such as System Security.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for ServiceNow and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

  1. Log in to Arculix with an administrative account and go to Applications.

  2. Click Create New Application.

    Create new application
  3. In the New Application form, on the General tab, set the following configurations:

    Name 

    Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs.

    For example, ServiceNow.

    Type 

    Set to SAML Service Provider.

    Out of Band Methods 

    Select the allowed methods end users can choose to approve MFA requests.

    For example, Arculix Mobile app (push notifications), SMS, or Security Key.

    Message for MFA Requests 

    Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

    arculix_new_app_servicenow.png
  4. Select the SAML Service Provider Configuration tab, and set the following configurations:

    Issuer or Entity ID 

    The Issuer/EntityID of the SAML application.

    For example, https://my-servicenow-instance.servicenow.com.

    Log in URL 

    The link used by your users to access the ServiceNow instance. You can leave this field blank.

    NameID Format 

    Set to Email Address.

    Name Identifier 

    Set to Email.

    ACS URL 

    Your ServiceNow instance URL.

    For example, https://my-servicenow-instance.servicenow.com.

    Response hosts

    List of your ServiceNow instances.

    arculix_new_app_servicenow2.png
  5. Save your changes.

ServiceNow configuration

In this section, you'll configure ServiceNow as a service provider (SP).

  1. Download the SAML metadata and certificate for your organization from Arculix.

    Metadata download: https://sso.acceptto.com/<myorganization>/saml/download/metadata

    View metadata: https://sso.acceptto.com/<myorganization>/saml/metadata

    Certificate download: https://sso.acceptto.com/<myorganization>/saml/download/cert

  2. Log in to your ServiceNow instance.

  3. On the left upper section of the page, type Plugins.

  4. Search for and select the plugin for Integration - Multiple Provider Single Sign-On Installer.

  5. Under Relative Links, click Activate/Upgrade.

  6. Go back to the left upper section, search for and select Identity Providers.

  7. Select New > SAML.

    In the pop up dialog, set it to import the Arculix metadata download URL.

    For example, https://sso.acceptto/<myorganization>/saml/download/metadata.

    This will pre-populate some of the required fields to configure the SAML Identity Provider.

    servicenow_import_meta.png
  8. On the Identity Provider record page, fill in any of the missing configurations.

    Name

    Set the name of the Identity Provider.

    For example, Arculix.

    Identity Provider URL

    Your Arculix instance.

    For example, https://<myorganization>.acceptto.com/saml.

    Identity Provider AuthnRequest

    Your Arculix instance login URL.

    For example, https://<myorganization>.acceptto.com/saml/auth.

    ServiceNow Homepage

    Your ServiceNow instance homepage.

    For example: https://your-servicenow-instance.servicenow.com/navpage.do.

    Entity ID / Issuer

    Your ServiceNow instance.

    For example, https://your-servicenow-instance.servicenow.com.

    Audience URI

    The target audience of the SAML response, in essence, your instance.

    For example, https://your-servicenow-instance.servicenow.com.

    NameID Policy

    The subject or name identifier inside the SAML response to an authentication request.

    In this case, the user’s email: urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress.

    servicenow_advanced_settings.png
  9. In the Advanced tab, make sure that the following fields are completed:

    User Field

    Set the user identifier. In this case, set to email.

    Protocol Binding for the IDP’s SingleLogoutRequest

    The method by which the SP connects to the IdP for logout requests.

    In this specific case, set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.

  10. Once the SAML configuration is finished, import the Arculix IdP certificate by selecting New under the X.509 Certificate tab and fill in the following fields:

    PEM Certificate

    Paste the content of the Arculix IdP x.509 Certificate into this field.

    The certificate can be downloaded at: https://sso.arculix.com/<myorganization>/saml/download/cert.

    Name

    An identifier of the certificate.

    For example, Arculix IdP Certificate.

    servicenow_pem_cert.png
  11. Save the certificate by selecting Submit.

  12. Before you can activate the newly configured IdP, select Test Connection on the middle section of the page.

    A new webpage should pop up with the Arculix portal.

    Application login page with email
  13. Once you log in successfully, a page will appear with the test results.

    You can ignore the error shown for the SSO Logout Test Results.

    servicenow_sso_test_results.png
  14. Click Activate to enable the IdP.

  15. Go back to the search box on the upper left section of the page and type Multi-Provider SSO, then select Properties below the administration.

    Make sure that the following controls are set:

    Enable multiple provider SSO

    Yes

    Enable debug logging for multiple provider SSO integration

    Yes (optional)

    The field on the user table that identifies a user accessing the "User identification" login page. By default, it uses the 'user_name' field

    Set to email

    servicenow_sso_properties.png
  16. Click Save.

Test your application integration

  1. Go to your ServiceNow instance.

  2. You will be redirected to the Arculix SSO page.

    Application login page with email
  3. After successful authentication, select your preferred MFA method to approve access to the ServiceNow application.

    Select MFA method
  4. If something does not work as expected in steps 1 to 3, log in to your ServiceNow instance with an account created in the prerequisites section of this document using the URL pointing to https://your-servicenow-instance.servicenow.com/login.do, using your local credentials.

    This will allow you to bypass SAML for accounts such as the admin user.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.