× Welcome to the Centrify Community! We are rolling out product name changes — click here to learn more.

[HOWTO] Set up ServiceNow for SSO with Identity Service and the Multi-provider SSO Plugin

[HOWTO] Set up ServiceNow for SSO with Identity Service and the Multi-provider SSO Plugin

By Centrify Guru I on ‎12-04-2016 12:34 PM - last edited 3 weeks ago

Applicable Versions:  Fuji, Geneva, Helsinki and Istanbul (June 2017) 

 

Background

ServiceNow is a very popular IT Service Management solution that includes capabilities like workflow and approvals, asset management, discovery, orchestration and more.  In this post we'll discuss how to use Centrify Identity Service to secure ServiceNow by using the Multi-provider SSO plugin.  In subsequent posts we'll discuss provisioning, protecting shared credentials, using the Centrify ServiceNow store apps.

 

Why secure ServiceNow with Federated SSO?

There are multiple security and operations-related reasons to implement federated identity and SSO for ServiceNow.  A key reason is related to the fact that SN is a SaaS platform, this means that the enterprise is extended and information is accesible outside the enterprise datacenter.  Using federated SSO, allows the use for on-premises identity and access control to secure assets outside the enterprise.  This provides the assurance that only authorized internal users can access those assets.  Another reason is usability with SSO there's no need to duplicate passwords; finally there is the gains in operational efficiency by using a process (like adding a user to an AD group to provision access) or simply disabling the AD user account will disable access to ServiceNow automatically.

 

We'll use the Plan-Do (Implement)-Check (Test)-Adjust (Enhance) methodology:

 

What you'll need

  • A Centrify Identity Service Instance
  • A ServiceNow Instance or a Developer Instance (Fuji, Geneva, Helsinki or Istanbul)
  • Administrative accounts on both systems

Planning

Here are some planning topics for your ServiceNow/Centrify Identity Service Integration

  • What are the user populations that will have access to ServiceNow?  (e.g. AD, LDAP, Google Directory, etc.)
  • What will be the uniquely-identifying field to be used with the SAML assertion?
  • What will be the name for the CIS Role?  (e.g. SN Users)
  • Is the Multi-provider SSO plugin activated in the instance?
  • Will you use the Centrify-provided x.509 certificate?
    Note:  If you have an older tenant, the provided courtesy signing certificate might have been signed with the SHA1 algorithm.  You may want to update to SHA256.
  • Will the assertion be encrypted?
  • Will provisioning be used?  Are the SN groups created?
  • Will the MPSSO with Centrify be set as default?  Will passwords be eliminated?
  • Will ServiceNow be accessible from inside or outside the enterprise?  Will time or geo-fencing mechanisms will be implemented
  • Should ServiceNow access be protected with multi-factor authentication?
  • Will service provider-initiated (SP-initiated) connections be supported?

 

Implementation

Overview
These are the high-level steps to configure Centrify Identity Service as a provider for SSO.

  • In Identity Service: Create a Centrify Role that will be assigned the Centrify App
  • In ServiceNow - Activate the "Integration - Multiple Provides Single Sign-On Installer" plugin.
  • In Identity Service - Onboard  the  "ServiceNow - SAML + Provisioning"  template
  • In ServiceNow - Import the x.509 Certificate for the SAML assertion
  • In ServiceNow - Set-up, configure and enable the Identity Provider
  • In Identity Service - Configure the ServiceNow App

Create a CIS role with the ServiceNow users

  1. Log in to the Centrify Identity Service Admin Portal with a user with at least role management rights.
  2. Go to Roles > Add Role; in the Description tab, give it a name.
    sn-role.png
  3. In the Members tab, select the users from the target directory or directories, then press Save

 

Activate the "Integration - Multiple Provides Single Sign-On Installer" plugin

  1. Log into your ServiceNow instance with an administrative user
  2. In the Application Navigator (left pane), use the search feature and type "Plugins", this filters System Definition and click Plugins.
  3. Now in the right pane, next to System Plugins, in Name type  "Integration - Multiple"
  4. Click on "Integration - Multiple Provides Single Sign-On Installer"  (should be set as inactive, if it's not, skip to the next section)
  5. Under Related Links, Click "Activate/Upgrade" and Click Activate
    sn-activate.png
  6. After activation, the "Multi-Provider SSO" Application will be activated in ServiceNow.  This app contains these sections:  Getting Started, Identity Providers, Federations and Administration.
    idp.png

 

Onboard the  "ServiceNow - SAML + Provisioning"  template

  1. Sign-in to Identity Service with a user that at least has the Application Management right.
  2. In the Admin Portal go to  Apps > Add Web App, then search for "ServiceNow SAML + Provisioning"
    sn-cis-apps.png
  3. Click the Add button, confirm your selection and close the Add Web Apps window.
  4. In Identity Service, you'll be placed on the Application Settings tab for the ServiceNow app template, scroll down and click on Download Signing certificate
    sn-down-cert.png
  5. Open a text editor in your platform (Notepad, TextEdit or Vi) and open the downloaded file.  Copy the contents to memory.
    (Note:  the contents should be a PEM-encoded certificate)

 

Import the Certificate to the Multi-Provider SSO via x.509 Admin Module

  1. In ServiceNow > Multi-Provider SSO > Administration > x509 certs
  2. New Cert > Give it a unique name
  3. Format > PEM
  4. PEM Certificate >  paste the contents of memory loaded in the previous section
    cert-sn.png
  5. Press Save.

 

Configure the Identity Provider

  1. In ServiceNow > Multi-Provider SSO > Identity Providers
  2. Select New > SAML2 Update 1 > and when the "Import Identity Provider Metadata" pop-up comes up, select Cancel.
  3. At this point, you can use the table on this page to configure the settings.  This is because it depends on your directory source and optional settings.  Here's the configuration for a now decommissioned demo environment:
    sn-config.png
    Notes: 
    - The look and feel of the multi-provider SSO plugin varies between SN versions Fuji/Geneva, Helsinki/Istanbul and Jakarta.
    - The identity provider has to be set to Active and default if you want Service-Provider initiated to be possible.
    - The "Failed Requirement Redirect" is set to the same value as the "Identity Provider AuthnRequest."
    - The location of the x.509 certificate options varies.  You may have to save the identity provider first to see the option to select a certificate (e.g. Geneva, Helsinki, Istanbul), then update the identity provider.
    gen-hel-ist-x509.png
    - The default field option for the Identity Provider is email.  Modify this setting based on your planning and identity source field mappings (e.g. in my case user_name)
  4. Once finished, press Save

 

Enable Multi-Provider SSO

  1. In the Multi-Provider SSO app , select the Properties module
  2. Check the "Yes"  box under "Enable multiple provider SSO"
    sn-enable.png
  3. Press Save.  This completes the ServiceNow set-up for SSO.

 

(Optional) Enabling Service Provider Initiated (SP-Initiated) logins

There are two ways of doing this:

  • Setting-up the Identity Provider for Centrify as default
    idp-default.png
  • Setting-up the SSO Source at the company or user level
    Here's an excerpt from: ServiceNow's documentation

Note: If you are working with a previously-federated system, make sure you review the system property glide.security.url.whitelist (sys_properties.list). If this parameter is set, you have to add your tenant URL to the list, otherwise you may hit a loop as defined in ServiceNow KB0621688.

 

Configure the ServiceNow App in Identity Service

  1. In Identity Service, go back to ServiceNow > Application Settings
  2. If you haven't, type in the instance ID under "Your ServiceNow instance name", then click on User Access
  3. Check the box next to the Centrify Role that was created in the planning phase.  Click on Account Mapping
  4. Because in this example, we're using Active Directory as the user source, we are going to use "samaccountname"
    Note:  that's is the "username" field in Active Directory, therefore, the user ID in ServiceNow must match for each user.
    This is one way to do it, there is flexibility here.  Other common deployments use the email field.
    sn-mappings.png
  5. Testing your work in the Advanced page
    Use the test button with some users in the target role to make sure that the assertion will be correct.
    sn-testing.png

 

Testing

For testing, all you need to do is create an Active Directory Identity Service user and match the User ID in ServiceNow with the user's AD login name (samaccountname) and set it to active. 

 

  1. In ServiceNow go to User Administration > Users
  2. Click New
  3. In User ID, type the username of a user (AD, Centrify, LDAP, Google).
    For example, in my environment I'm using Lisa and I'm matching the UserID (user_name) with her Active Directory username (samaccountname).
    sn-lisa.png
  4. Since this will be an SSO user, there's no need to give it a password.  Press Submit.
  5. Now we need to give the user a role. In the user list, click on the newly-created user and scroll down to Roles and press Edit.
  6. Give the user a role (e.g. ITIL, press Save) then Update the user.
    In my example, I have a ServiceNow - ITIL Role in Identity Service, and this matches well.

 

Tests

  • Identity-provider initiated login
    This is when you launch the application from the Identity Provider's portal.
    1. Log in as your AD user, to the Identity Service User Portal. 
      lisa-portal.png
      You should see the user's assigned apps including ServiceNow
    2. Click on ServiceNow.  You should be signed into ServiceNow without a challenge.
      lisa-sn-home.png
  • Service-provider initiated login
    This is when you go directly to the application.
    1. Go to your instance URL and select external login. 
    2. When you type-in the username, you'll either be re-directed to your Identity Service portal for authentication, or if you have a current session (or Kerberos ticket and IWA enabled), you'll be placed in the app.
      sn-ext-login.png

      Note that this behavior can be modified if the SN multi-provider SSO is set as default and or using the optional step above (enabling SP initiated) section.

 

Enhancing the Implementation

There are several areas for enhancement, but these come to mind:

  • Enable Provisioning (next blog post)
  • Enable multi-factor authentication
  • Protect shared accounts
  • Enable workflow and approvals

Centrify-ServiceNow Resources

There are multiple resources available in the documentation and tech blogs:

Showing results for 
Search instead for 
Do you mean 
Labels

Community Control Panel