ServiceNow SAML integration

Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only they know or have access to.

Security Assertion Markup Language (SAML) is a protocol for authenticating to web applications. SAML allows federated apps and organizations to communicate and trust one another’s users.

Arculix by SecureAuth, as a SAML provider, improves the user login experience for ServiceNow users with convenient MFA, and offers a simple SAML solution for adding MFA and single sign-on (SSO) to ServiceNow users.

Prerequisites

Configured Arculix instance and user account with administrative privileges for Arculix.
Configured Arculix LDAP Agent.
For more information, see the Arculix LDAP Agent deployment guide.
User account with administrative privileges for ServiceNow.
- Ensure that you have a user account that has an admin role before enabling SAML. To configure a user as an admin, login to your ServiceNow instance and select System Security > Users.
- Select a specific user and at the bottom section of the page, under Roles, select edit.
- In the Collection field type admin, select the right arrow, and then Save.
- To verify that your user is an admin, from the System Administrator menu, select Impersonate User . Enter the user you have promoted to admin.
- Access the privileged operations options, such as System Security.

Arculix SAML configuration as an Identity Provider (IdP)

In this section, you'll add an application for ServiceNow and set the SAML configuration settings. This will be the Identity Provider (IdP) side of the configuration.

Log in to Arculix with an administrative account and go to Applications.
Click Create New Application.

In the New Application form, on the General tab, set the following configurations:

Name	Set the name of the application. This is the name to display for push notifications, in the Admin panel, Application portal, and audit logs. For example, ServiceNow.
Type	Set to SAML Service Provider.
Out of Band Methods	Select the allowed methods end users can choose to approve MFA requests. For example, Arculix Mobile app (push notifications), SMS, or Security Key.
Message for MFA Requests	Optional. Type a message displayed to end users when sending an MFA request via push notification, SMS, or email.

Select the SAML Service Provider Configuration tab, and set the following configurations:

Issuer or Entity ID	The Issuer/EntityID of the SAML application. For example, `https://my-servicenow-instance.servicenow.com`.
Log in URL	The link used by your users to access the ServiceNow instance. You can leave this field blank.
NameID Format	Set to Email Address.
Name Identifier	Set to Email.
ACS URL	Your ServiceNow instance URL. For example, `https://my-servicenow-instance.servicenow.com`.
Response hosts	List of your ServiceNow instances.

Save your changes.

ServiceNow configuration

In this section, you'll configure ServiceNow as a service provider (SP).

Download the SAML metadata and certificate for your organization from Arculix.
Metadata download: https://sso.acceptto.com/<myorganization>/saml/download/metadata
View metadata: https://sso.acceptto.com/<myorganization>/saml/metadata
Certificate download: https://sso.acceptto.com/<myorganization>/saml/download/cert
Log in to your ServiceNow instance.
On the left upper section of the page, type Plugins.
Search for and select the plugin for Integration - Multiple Provider Single Sign-On Installer.
Under Relative Links, click Activate/Upgrade.
Go back to the left upper section, search for and select Identity Providers.
Select New > SAML.
In the pop up dialog, set it to import the Arculix metadata download URL.
For example, https://sso.acceptto/<myorganization>/saml/download/metadata.
This will pre-populate some of the required fields to configure the SAML Identity Provider.

On the Identity Provider record page, fill in any of the missing configurations.

Name	Set the name of the Identity Provider. For example, Arculix.
Identity Provider URL	Your Arculix instance. For example, `https://<myorganization>.acceptto.com/saml`.
Identity Provider AuthnRequest	Your Arculix instance login URL. For example, `https://<myorganization>.acceptto.com/saml/auth`.
ServiceNow Homepage	Your ServiceNow instance homepage. For example: `https://your-servicenow-instance.servicenow.com/navpage.do`.
Entity ID / Issuer	Your ServiceNow instance. For example, `https://your-servicenow-instance.servicenow.com`.
Audience URI	The target audience of the SAML response, in essence, your instance. For example, `https://your-servicenow-instance.servicenow.com`.
NameID Policy	The subject or name identifier inside the SAML response to an authentication request. In this case, the user’s email: `urn:oasis:names:tc:SAML:2.0:nameid-format:emailAddress`.

In the Advanced tab, make sure that the following fields are completed:

User Field

Set the user identifier. In this case, set to email.

Protocol Binding for the IDP’s SingleLogoutRequest

The method by which the SP connects to the IdP for logout requests.

In this specific case, set to urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.

Once the SAML configuration is finished, import the Arculix IdP certificate by selecting New under the X.509 Certificate tab and fill in the following fields:

PEM Certificate

Paste the content of the Arculix IdP x.509 Certificate into this field.

The certificate can be downloaded at: https://sso.arculix.com/<myorganization>/saml/download/cert.

Name

An identifier of the certificate.

For example, Arculix IdP Certificate.

Save the certificate by selecting Submit.
Before you can activate the newly configured IdP, select Test Connection on the middle section of the page.
A new webpage should pop up with the Arculix portal.
Once you log in successfully, a page will appear with the test results.
You can ignore the error shown for the SSO Logout Test Results.
Click Activate to enable the IdP.

Go back to the search box on the upper left section of the page and type Multi-Provider SSO, then select Properties below the administration.

Make sure that the following controls are set:

Enable multiple provider SSO	Yes
Enable debug logging for multiple provider SSO integration	Yes (optional)
The field on the user table that identifies a user accessing the "User identification" login page. By default, it uses the 'user_name' field	Set to email

Click Save.

Test your application integration

Go to your ServiceNow instance.
You will be redirected to the Arculix SSO page.
After successful authentication, select your preferred MFA method to approve access to the ServiceNow application.
If something does not work as expected in steps 1 to 3, log in to your ServiceNow instance with an account created in the prerequisites section of this document using the URL pointing to https://your-servicenow-instance.servicenow.com/login.do, using your local credentials.
This will allow you to bypass SAML for accounts such as the admin user.

Support

If you have questions or need assistance, contact SecureAuth Support.

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the SecureAuth Corporation.

In this section: