This article is a supplement to the ServiceNow documentation. For full documentation please refer ServiceNow official website
Checkout our NEW Video Channel you can like and subscribe too!

Introduction

Single sign-on (SSO) is a session and user authentication service that permits a user to use one set of login credentials – for example, a name and password – to access multiple applications.

Available Plugin

  • Integration - Multiple Provider Single Sign-On Enhanced UI
  • Integration - Multiple Provider Single Sign-On Installer sso070520201.PNG

To install plugin flow the below setps:

  1. Navigate to System Definition > Plugins.
  2. Find the plugin with the filter criteria and search bar.
  3. Activate the plugin.
  4. After installing the plugin you can see below applications: sso070520202.PNG

Property Update

  1. Navigate to Multi-Provider SSO > Properties sso070520203.PNG
  2. Select Yes for Enable Multiple provider SSO sso070520204.PNG
  3. Click Save.

SAML Configuration

  1. Navigate to Multi-Provider SSO > Identity Providers. sso070520205.PNG
  2. Click New. sso070520206.PNG
  3. You are asked what kind of SSO you are trying to create. Select SAML. sso070520207.PNG
  4. An Import Identity Provider Metadata pop-up dialog appears. sso070520208.PNG
  5. Copy and paste the following Metadata URL and click Import. ( Sign into the Okta Admin dashboard to generate this value) sso070520209.PNG
  6. A page opens with auto-populated SAML settings. sso0705202010.PNG
  7. If you want this SAML configuration to be the default, check Default. sso0705202030.PNG
  8. Refer to Multiple IdP section if you have multiple IdPs enabled.
  9. Scroll down and select the Encryption and Signing tab and update below fields:
    • Signing/Encryption Key Alias: Set to saml2sp sso0705202011.PNG
    • If you created a different alias name for the SAML 2.0 keystore, enter that; otherwise, use saml2sp.
    • Signing/Encryption Key Password: Enter the password to your SAML 2.0 Keystore. By default, the password is the same as the default alias name.
  10. Select the User Provisioning tab and uncheck Auto Provisioning User and Update User Record Upon Each Login. sso0705202012.PNG
  11. Slect the Advanced tab update below field
    • User Field: Specify the ServiceNow user attributes that you will be matching against Okta with SAML. By default, this is user_name, but can be configured to match other attributes such as email, depending on your use-case.

Note: You can select which field from the user profile on the SNOW side they want to match to, as the NAME id in SAML. It ca be email, username, or any other field on the user record.

  • Check Create AuthnContextClass.

sso0705202031.PNG

Testing

  1. To test the SAML connection,click Test Connection on the top right.

sso0705202014.PNG

Activate

Once the SAML tests pass, click Activate to activate the Identity Provider you just set up. sso0705202015.PNG

Advanced Configuration

We can make more advance configuration like below:

  1. Force Authentication
  2. Single Log out
  3. SP-initiated SAML

Force Authentication

  1. Go to the Advanced tab >Check Force AuthnRequest. sso0705202016.PNG
  2. In Okta, make sure you have unchecked the Disable Force Authentication option on the Sign On tab sso0705202027.PNG
  3. Click Update.

Single Log Out

  1. Enter the following Identity Provider’s SingleLogoutRequest URL (Sign into the Okta Admin Dashboard to generate this variable) sso0705202017.PNG
  2. Select the Encryption and Signing tab.
  3. Check Sign Logout Request. sso0705202018.PNG
  4. Select the Advanced tab. Change the Protocol Binding for the IDP’s SingleLogoutRequest to the following: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST sso0705202019.PNG
  5. Click Generate Metadata. sso0705202020.PNG
  6. The new metadata tab appears. sso0705202022.PNG
  7. Save the X509Certificate value. Create a file in a text editor in the following format: 
     -----BEGIN CERTIFICATE-----
 [your x509 certificate value]
 -----END CERTIFICATE-----
  8. Save the text file as servicenow_slo.cert
  9. In Okta, select the Sign On tab for the ServiceNow app, then click Edit.
  10. Check the Enable Single Logout box.
  11. Upload the servicenow_slo.cert file you saved earlier
  12. Click Save.

SP-initiated SAML

Determine which use case:

  • Single IdP
  • Multiple IdP - in this case, they need to set the sys_id for anyone who is not using the default IdP. sys_id does not need to be set for any user who’s going to go through the default IdP.

At this point, SAML single sign-on is configured for IdP-initiated flows from Okta into ServiceNow. To allow users to leverage Single Sign-On from the SP-Initiated flow (when they go directly to ServiceNow to log in), use the following instructions.

Note: SP-Initiated SAML can be enabled for an individual user or an entire company of users in ServiceNow. However, it cannot be enabled for specific groups of users.

  1. Navigate to Multi-Provider SSO > Identity Providers.
  2. Right-click an identity provider record and select Copy sys_id. sso0705202023.PNG If you would like to enable SP-Initiated SAML on a user by user basis instead of for all users within a given company, do the following:
  3. Go to sys_user table
  4. Select any user and open the record
  5. Open the Form Layout and take SSO Source sso0705202024.PNG sso0705202025.PNG
  6. Click Save.
  7. In the SSO Source field, type sso:.Then paste the sys_id from the Identity Provider you created with the Multi-Provider SSO plugin and click on Save. sso0705202026.PNG

Users can now begin using SP-Initiated SAML with ServiceNow in two different ways.

  1. When they navigate to the default ServiceNow login page, they can choose Use external login and then enter in their ServiceNow username in order to be redirected to Okta for SSO. sso0705202028.PNG
  2. Users can go directly to the following url: https://[ServiceNowDomain]/login_with_sso.do?glide_sso_id=[sys_id value]
    Content