ServiceNow is a very popular IT Service Management solution that includes capabilities like workflow and approvals, asset management, discovery, orchestration and more. This is the third article in the series. We have covered ServiceNow federation using Multi-provider SSO, setting-up automatic provisioning with the Centrify Identity Service App and in this post we'll discuss the steps to set up Centrify App Access ServiceNow to add workflow and approvals to Centrify Identity Service applications.
Centrify's Access Request vs. ServiceNow Workflow
We often get questions about what solution to use for self-service and approvals for application or privilege requests. The answer is quite simple: if you already have all your requests in ServiceNow, you should continue to do so. This helps standardization and a unified user experience. The Centrify workflow engine is designed to meet the basic needs for Centrify products and ServiceNow is a full-fledged service management solution.
We'll continue to use the Plan-Do (Implement)-Check (Test)-Adjust (Enhance) methodology and assumes you have working knowledge of Identity Service and ServiceNow.
What you'll need
- A Centrify Identity Service Instance with some published apps assigned to roles
- A ServiceNow Instance that allows you to install apps (non-developer) with federated access to your Privilege Service instance. For details on how to set up SAML federation with the Multi-provider SSO, click here or review the links below.
- Administrative accounts on both systems
During planning, discuss with your infrastructure, operations and security teams about these topics:
- Will you have a single approval or multiple approval groups per application?
Depending on the application(s) in question you may have a single group or multiple groups approve. Or have approval groups per app as well.
- How will the workflow be designed?
This topic is very organization-dependent. Some organizations may chose to have automatic approvals for simple apps and human approvals when the apps require a license or will add access to sensitive data.
- Have you identified a Default Approval Group in ServiceNow?
If you chose to have a single group approve access to all apps.
- Have you mapped all Apps to ServiceNow groups for the purposes of approval?
E.g. the "twitter" app is approved by the Social Media group; the "O365" app is approved by the manager and then the security department.
- Have you created a CIS role and policy set for the servicenow service account?
The servicenow account in Identity Service requires at a minimum the "Role Management" and "Application Management" rights, in addition, a policy that allows for username/password is required since the REST calls used by the app can't answer multi-factor authentication requests.
- Will you have SLAs tied to your application requests?
Although not in the scope of this post, SN offers a lot of flexibility when designing workflows including expiring worfkow requests when they are not approved within a defined duration.
- Create an Identity Service user
- Create an Identity Service role with the minimum rights
- Create an Identity Service Policy to allow user/password login
- Download and Install Centrify App Access from the ServiceNow App Store
- Configure Centrify App Access
Create an Identity Service user
For this integration, you'll need a service account (you should know how to create users to follow this article). To practice least privilege, this account needs to belong to a role with two rights: Application Management and Role Management. This is to be able to modify role membership and application attributes.
When creating the user, be mindful of options that can cause an outage (like password expiration), and practice proper rotation and complexity based on your internal policy.
Create an Identity Service role with the minimum rights
When you create the role, grant the two rights illustrated below and add the previously-created user to this role.
Create an Identity Service Policy to allow user/password login
This step may require you to create an Authentication profile that only asks for password (Settings > Authentication > Authentication profiles). The reason being is that Identity Service will (by default) ask for a step-up method for any unknown connections.
- Log on to Identity Service with an administrative account
- Go to Policies > New Policy
- In Policy Settings, scroll down and select the "Specified roles" radio button
- Press Add and browse for the role created in the previous step.
- On the left pane expand User Security Policies > Login Authentication and select Yes to enable.
- Under default profile (used if no conditions matched) select your Auth profile that only challenges for password.
- Press Save
- In an incognito window for your browser, try to log in to the service with the newly-created account. You should only be prompted for username and then password.
Important: Make sure that the policy only applies to the members of the role created for this integration.
Download and Install the Identity Service App from the ServiceNow App Store
- Go to the ServiceNow app store and search for Centrify.
- Click on Centrify App Access
- Click "Get" to make the Centrify Identity Service app available for your ServiceNow instances.
- Go to the ServiceNow instance, select System Applications > Applications > Downloads to locate the app then click Install to install it.
Configure Centrify App Access
- In the application pane (left) navigate to Centrify App Access > Properties. Populate these three fields
Centrify Cloud Tenant URL: the URL for your identity service tenant. (e.g. https://your-tenant.my.centrify.com)
Centrify Cloud Service Account: the account you created in previous steps
Centrify Cloud Service Account Password: the strong password you created for the user
- Default Approval Group (Optional): now you have a decision to make based on the planning above. Populate the "Default Approval Group" if you decided to use a single ServiceNow group to approve all application requests. You have to find the group in ServiceNow (System Security > Groups; find the group, right-click it and "Copy sys_id" and paste it on the Default Approval Group. If you are planning to have approval groups per App, then you leave the field empty and press Save.
- Go to Centrify App Access > Customize API Sync
- Set the Active checkbox
- Select an appropriate interval based on your SLAs (e.g. 1 hour)
- Press Save and then Execute Now.
This process will synchronize the CIS Apps and Roles available with ServiceNow.
If you set up a "Default Approval Group" you can skip this part. At this point you have to have a list of all the apps and the corresponding approval groups. For example, the "Amazon as root" app will be approved by the Software group included with the sample data of the ServiceNow instance and the canned workflow for software.
To verify the functionality of the app, you'll have to run through the workflow of the apps (or independent apps) based on the approval group defined. For example, in my scenario I chose to have independent approval groups. My requester (Stewie) will request the app and this request has to be approved by ITIL user.
Once the request is approved (and the underlying task) the app will perform the provisioning of the role that grants access to the application and the icon will show up automatically.
Security analysts and auditors may require reports of who has been requesting and approving apps, this is easily accessible using the service catalog requests or under the Centrify App Access approvals section.
Centrify & ServiceNow Resources
There are multiple resources available in the documentation and tech blogs:
- Centrify App Access Documentation
- How to set up ServiceNow for SSO with Identity Service and the Multi-provider SSO Plugin
- How to set up Centrify Identity Service automatic provisioning for ServiceNow
- How to set up the Centrify Privilege Access Request ServiceNow App
- Video: Centrify and ServiceNow configuration overview by @Andy-Z
- Video: ServiceNow Application Access Request Overview by @Andy-Z
- Video: ServiceNow Application Access Request Walkthrough by @Andy-Z
- Video: Centrify Privileged Access Request for ServiceNow by @Andy-Z
- [Labs] Integrating ServiceNow Approvals to Centrify-enhanced sudo using the dzdo validator