Updated April 20, 2020
Use this guide to enable multi-factor authentication and single sign-on (SSO) access via SAML to ServiceNow.
- Have a ServiceNow account.
- SecureAuth IdP 9.x deployed, with a new realm created for the integration with ServiceNow.
- Configure the following tabs in the Web Admin before configuring the Post Authentication tab: Overview, Data, Workflow, Multi-Factor Methods
SecureAuth IdP Web Admin configuration steps
1. In the Profile Fields section, map the directory field that contains the user's ServiceNow ID to the SecureAuth IdP Property.
For example, add the ServiceNow ID Field to the Email 2 Property if it is not already contained somewhere else.
2. Save the configuration before leaving the Data page.
Post Authentication tab
1. In the Post Authentication section, select SAML 2.0 (SP-initiated) Assertion page from the Authenticated User Redirect dropdown.
The unalterable URL that auto-populates the Redirect To field will append to the domain name and realm number on the address bar (Authorized/SAML20SPInit.aspx).
A customized post authentication page can be uploaded, but is not required.
2. In the User ID Mapping section, select the SecureAuth IdP property that corresponds to the directory field that contains the ServiceNow ID. In the following image, the property is set to Email 2. The Email 2 setting is mapped to the ServiceNow ID on the Data tab, in step 1.
3. Select urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified from the Name ID Format dropdown (default).
If required by ServiceNow, choose the option supplied by the Service Provider (SP).
4. Select False from the Encode to Base64 dropdown.
5. In the SAML Assertion / WS Federation section, Set the WSFed/SAML Issuer to a unique name that is shared with ServiceNow, for example, the name you use for single sign-on URL.
The WSFed/SAML Issuer must match exactly on the SecureAuth IdP side and the ServiceNow side.
6. Set the SAML Audience to https://<company>.service-now.com.
7. Provide the SP Start URL to enable SSO and to redirect users appropriately to access ServiceNow.
Example: https:// company .service-now.com
8. Set the SAML Offset Minutes to account for time differences between devices.
9. Set the SAML Valid Hours to limit the time that the SAML assertion is valid.
10. No configuration is required for the WSFed Reply To/SAML Target URL, SAML Consumer URL, or SAML Recipient fields.
11. Leave the Signing Cert Serial Number as the default value, unless using a third-party certificate for the SAML assertion.
If using a third-party certificate, click Select Certificate and choose the appropriate certificate.
ServiceNow requires the certificate to be in privacy-enhanced mail (PEM) format.
12. If required, provide the Domain so you can download the metadata file to send to ServiceNow.
13. Save the configuration before leaving the Post Authentication page.
Optional configuration settings
- To configure this realm's token or cookie settings, see Configure token or cookie settings.
- To configure this realm for SSO, see SecureAuth IdP Single Sign-on Configuration.
- To configure this realm for Windows Desktop SSO, see Windows desktop SSO configuration.
ServiceNow configuration steps
1. In the ServiceNow Admin Console, navigate to Multi-Provider SSO and select Identity Providers. Click New.
If you will activate the Multi-Provider SSO plugin in your instance, follow the steps in Activate multiple provider single sign-on on the ServiceNow website.
2. Click SAML in the What kind of SSO are you trying to create section.
3. Configure the ServiceNow Identity Provider by importing the metadata that you downloaded in the SecureAuth IdP configuration in step 12.
In the Identity Provider New record screen, an Import Identity Provider Metadata pop-up is displayed.
a. Select XML and paste the XML content you copied in the SecureAuth IdP configuration in step 12.
b. Click Import.
The required fields will be automatically populated.
4. Activate the imported Identity Provider settings.
a. Scroll down and select the Advanced tab. Check that User Field is set to email.
b. Click Test Connection.
c. Click Activate.
5. Set email as the user identification value.
a. On the left side, navigate to Multi-Provider SSO > Identity Providers > Properties.
b. Check that Enable multiple provider SSO is set to Yes.
c. Change user_name to email in the user identification field so that users accessing the "User identification" login page are identified by email.
Change the signing certificate
The certificate is set up automatically when the ServiceNow integration imports the SecureAuth IdP metadata, which includes the certificate.
If you need to change the signing certificate, you must do so manually. See the steps for installing a certificate for a generic identity provider in Install the identity provider certificate on the ServiceNow website.
Only one certificate can be used at a time. To change the certificate, replace it rather than adding the new one.