Configuring ServiceNow for Single Sign-on

The following steps are specific to this application and are required in order to enable SSO. For information on optional configuration settings available in the Centrify Admin Portal, see Optional configuration settings.

To configure ServiceNow for SSO:

  1. Add the Service Now application in Admin Portal.

    1. In the Admin Portal, select Apps > Web Apps, then click Add Web Apps.

      The Add Web Apps screen appears.

    2. Navigate to the Custom tab and find SAML.

    3. Next to the application, click Add.
    4. In the Add Web App screen, click Yes to confirm.
    5. Click Close to exit the Application Catalog.

      The application that you just added opens to the Settings page.

    6. Click the Trust page to begin configuring the application.

      The UI is evolving in order to simplify application configuration. You might have to select Manual Configuration to expose settings, as shown in the following example.

      Any previously configured applications retain their configuration and do not require reconfiguration. If you are configuring an application for the first time, refer to the Trust page for any settings previously found on the Application Settings page.

      In addition, the description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information.

  2. (Optional) In the Service Provider Configuration > Manual Configuration area, select Encrypt SAML Response Assertion to use an encryption certificate to encrypt the SAML Response Assertion.

  3. In the Identity Provider Configuration area of the Trust page, expand the certificate area and select the certificate that you want to use for the application, then click Download.

  4. On the Settings page in the Admin Portal, specify the following settings:

    Option

    Description

    Your ServiceNow instance name

    Enter your ServiceNow instance. For example, if you login to ServiceNow using https://acme.service-now.com, enter acme.

    Application ID

    Configure this field if you are deploying a mobile application that uses the Centrify mobile SDK, for example mobile applications that are deployed into a Samsung KNOX version 1 container. Privileged Access Service uses the Application ID to provide single sign-on to mobile applications. Note the following:

    The Application ID has to be the same as the text string that is specified as the target in the code of the mobile application written using the mobile SDK. If you change the name of the web application that corresponds to the mobile application, you need to enter the original application name in the Application ID field.

    There can only be one SAML application deployed with the name used by the mobile application.

    The Application ID is case-sensitive and can be any combination of letters, numbers, spaces, and special characters up to 256 characters.

    Show in User app list

    Select Show in User app list to display this web application in the Admin Portal. (This option is selected by default.)

    If this web application is added only to provide SAML for a corresponding mobile app, deselect this option so the web application won’t display for users in the Admin Portal.

  5. Create and enable a test user, then add that user to the Permissions page for your ServiceNow app.

    By default, users added to the Permissions page have View, Run, and Automatically Deploy permissions.

  6. Open a new tab in your web browser.

    Note:   It is helpful to open the web application and the CentrifyAdmin Portal simultaneously to copy and paste settings between the two browser windows.

  7. Go to your ServiceNow login URL.

    For example, you have a login URL such as https://acme.service-now.com where acme is your company instance name.

  8. Add a new security certificate.

    1. Search for x509 in the Filter Navigator, and click x509 Certificate under Multi-Provider SSO.

    2. Click New.

    3. Open the certificate that you downloaded earlier in a text editor, then copy the contents and paste them into the web application's certificate field.

      For ServiceNow, paste the contents into the PEM Certificate field.

    4. Configure the following fields.

      Any fields not listed in this table require no action by you.

      • Name: Enter SAML 2.0 as the name.
      • Format: Make sure that the PEM format is selected.
      • Active: Make sure the Active check box is selected.
    5. Click Submit.

  9. Add a new Identity Provider.

    1. Use the Filter Navigator to search for SSO, and click Identity Providers under Multi-Provider SSO.
    2. Click New to create a new Identity Provider.

    3. Click SAML to select the type of Identity Provider to create.

    4. Click Cancel when prompted to import metadata.

    5. Copy the following values from the Identity Provider Configuration > Manual Configuration area of the Admin Portal and paste them into the matching fields in the ServiceNow Company Dashboard.

      • Identity Provider URL

        To enable SP-initiated SSO, copy the contents the Identity Provider URL from the Admin Portal and paste it here.

        For IdP-initiated only, enter another URL.

      • Identity Provider's AuthnRequest

      • Identity Provider's SingleLogoutRequest

        If you want users to log out of the Centrify PAS when they log out of ServiceNow, copy the URL from the Identity Provider’s SingleLogoutRequest in the Admin Portal and paste it here.

        If you want to keep users logged into the Admin Portal after they log out of ServiceNow, enter a different URL or leave this field blank.

    6. Configure the following remaining fields in the ServiceNow Company Dashboard.

      Any fields not listed in this table require no action by you.

      Field

      What you do

      Name

      Enter the name you want to use for the IdP (for example, Centrify-AABX567).

      Default

      (Optional) Select this check box if you want to enable SP-initiated SSO.

      Identity Provider URL

      The Identity Provider entity ID.

      Identity Provider's AuthnRequest

      The Identity Provider AuthnRequest service endpoint. The AuthnRequest will be posted to this URL as the SAMLRequest parameter.

      Identity Provider's SingleLogoutRequest

      The Identity Provider SingleLogoutRequest service endpoint. The LogoutRequest will be posted to this URL as the SAMLRequest parameter.

      ServiceNow Homepage

      Replace <yourinstance> in the URL in this field with your company instance name

      Entity ID / Issuer

      Replace <yourinstance> in the URL in this field with your company instance name

      Audience URI

      Replace <yourinstance> in the URL in this field with your company instance name

      NameID Policy

      Replace the default value of the NameID Policy field with:
      urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

      External logout redirect

      Use the default value.

      Failed Requirement Redirect

      When SAML 2.0 single sign-on fails because the session is not authenticated, or this is the first login, redirect to this URL. This is the base URL where the initial SAML 2.0 AuthnRequest is sent using the SAMLRequest parameter.

    7. On the same Identity Providers page, scroll down and click the Advanced tab and configure the following fields.

      Field

      What you do

      User Field

      Set to how your assertion is constructed, for example email or user_name.

      Note: If you change this setting, make sure that it matches the attribute used for user account mapping in the ServiceNow application settings.

      Note: If you change this setting, you have to also change the last part of the NameID policy to match the attribute.

      Single Sign-On Script

      Click the magnifying glass and select the MultiSSO_SAML2_Update1 script.

      NameID Attribute

      Leave empty.

      Clock Skew

      Provides a buffer on the valid period of the SAML token. Recommended value: 60. When set to 60, this provides a 60-second buffer when the token is valid before the notBefore constraint and after the notOnOrAfter constraint.

      Create AuthnContextClass

      (Optional) If selected, ServiceNow requires that you present a specific login mechanism such as a form, Kerberos, etc., to create an AuthnContextClass request in the AuthnRequest statement.

      Protocol Binding for the IDP's AuthnRequest

      The protocol binding the Identity Provider's AuthnRequest service. Value can be either 'urn:oasis:names:tc:SAML:bindings:HTTP-Redirect' or urn:oasis:names:tc:SAML:bindings:HTTP-POST'.

      AuthnContextClassRef Method

      (Optional) Use the default value.

      Protocol Binding for the IDP's SingleLogoutRequest

      Use the default value.

      Force AuthnRequest

      Leave unselected.

      Is Passive AuthnRequest?

      Leave unselected.

      IDP Metadata URL

      This attribute holds the Metadata URL from where the IDP properties will be imported.

    8. Click Submit.

  10. Click on the identity provider that you just created, then click Test Connection and sign in with the test user account you created in the Centrify Admin Portal.

    Note:   If you receive connection error messages, see sections 4.4 and 4.5 on https://wiki.servicenow.com/index.php?title=Multiple_Provider_Single_Sign-On# for more information about testing the connection and troubleshooting connection errors.

  11. In the Filter Navigator, search for Properties, then click Properties under Multi-Provider SSO Administration.
  12. Configure the following options.

    Options

    What you do

    Enable multiple provider SSO

    Select the Yes | No check box.

    Enable debug logging for the multiple provider SSO integration

    (Optional) Select the Yes | No check box.

    The field on the user table that identifies a user accessing the “User identification” login page

    Use the default.

  13. Click Save to complete the configuration in ServiceNow

  14. Deploy the application by setting permissions on the application or by adding the application to a set.

  15. Click Save to finish configuring the application for single sign-on.