Integrating ServiceNow with Okta for Single Sign On (SSO)

ServiceNow SSO For Okta IAM Image

Today’s blog features a tutorial detailing everything you need to know in order to provision users from Okta to ServiceNow and Federated ServiceNow Application using SAML (Security Assertion Markup Language).

ServiceNow is a cloud-based company that provides technical management support, such as IT service management, to the IT operations of large corporations, including providing help desk functionality. The company’s core business revolves around management of “incident, problem, and change” IT operational events.

Okta is a cloud-based identity management product that helps companies manage and secure user authentication and build identity controls into applications.

Through this blog, we will show user provisioning from Okta to ServiceNow and configuration of Single Sign-On using Identity Provider and Service Provider Initiated Mechanism through SAML.

Since SAML works with Ping Federate in a similar manner, this blog is helpful for both Okta & Ping Identity consultants to Integrate ServiceNow.

Prerequisites:

  1.  Administrative ServiceNow Account
  2.  Application Administrative Okta Account

Configuration Steps at Okta:

  1.  Add a ServiceNow Application from Okta Integration Network (OIN).Okata servicenow guide
  2.  Provide the Application URL of your ServiceNow Instance under the Base URL field. In this demo, we have used a dev instance.Okata servicenow guide
  3.  Under the Provisioning tab, Enable API Credentials using ServiceNow admin account.Okata servicenow guide
  4.  After successful API Integration, we can create, update and deactivate users from Okta to ServiceNow.Okata servicenow guide
  5. Under the Assignments Tab, assign the application to a user or a group. In this demo we have assigned the application to a user for testing.Okata servicenow guide
  6. Under the Sign On Tab, download the Identity Provider Metadata.Okata servicenow guide

Configuration Steps at ServiceNow:

  1. Log in to ServiceNow as the administratorOkata servicenow guide
  2.  Search for plugins in the Filter navigator (top left input field)Okata servicenow guide
  3. Search for com.snc.integration.sso.multi in the ID field from the search bar at the top of the Plugins pageOkata servicenow guide
  4.  Install the Integration-Multiple Provider Single Sign-On Enhanced UIOkata servicenow guide
  5.  Plugins are activated after the installationOkata servicenow guide
  6. Search for Multi-Provider SSO in the Filter navigator (top left input field). Click PropertiesOkata servicenow guide sso
  7.  Select Yes for Enable Multiple provider SSO, as shown below:Okata servicenow guide sso
  8.  Click Save.
  9. Search for Multi-Provider SSO in the Filter navigator (top left input field). Select Identity Providers.Okata servicenow guide
  10. Click New and select SAML for SSO ConfigurationOkata servicenow guideOkata servicenow guide
  11.  Import the Identity Provider Metadata from Okta. In this demo we are using the below URL:Okata servicenow guide
  12. After Importing the metadata, automated SAML settings are populated. Check Default for Default SAML Settings.Okata servicenow guide
  13.  Under the Encryption & Signing Tab, Set the Signing/Encryption Key Alias as “saml2sp”Okata servicenow guide
  14.  Select the User Provisioning Tab and Uncheck Auto Provisioning User and Update User Record Upon Each LoginOkata servicenow guide
  15.  Select the Advanced Tab:
    In the user field, specify the ServiceNow user attributes that you will be matching against Okta with SAML. In our demo we are using Email as the user field.
    Check Create AuthnContextClass:Okata servicenow guide
  16.  Scroll Up and click Test Connection.Okata servicenow guide
  17.  Once the SAML tests pass, click Activate to activate the Identity Provider Initiated SSO setup.
    Assigned Users will be able to access the application under Okta Console.Okata servicenow guideOkata servicenow guide

Configuring Service Provider Initiated SSO Setup:

Users who would like to access the application by logging directly into the application can achieve this by configuring Service Provider Initiated SSO Setup where the Initiation starts with Service Provider (in this case ServiceNow).

  1.  Navigate to Identity Providers under Multi-Provider SSO.
  2.  Right-click on the Identity Provider that we set up and select Copy sys_id
  3.  Save the sys_id value on your system.
  4.  Navigate to MyCompany page in ServiceNow
  5. From the menu icon (see below), select Configure, then Form Design for the Company.
  6.  From the Fields sidebar on the left, select and drag the SSO Source field to the Company [core_company] table in the middle of the page as the last attribute in the list.
  7.  To now apply SP-Initiated SAML to all users, navigate back to the My Company page from the Filter Navigator.
  8.  In the SSO Source field, type sso: Paste the sys_id from the Identity Provider you created with the Multi-Provider SSO plugin. Choose Update to finish.
  9.  Click Save. SP Initiated Setup is Completed.
  10. Users can go directly to the following URL: https://[yourServiceNowDomain]/login_with_sso.do?glide_sso_id=[sys_id value] to access the application.Success! We hope you found this tutorial on Integrating ServiceNow with Okta valuable.