Wikis - Page

Netiq Access Manager - ServiceNow Integration

0 Likes

Netiq Access Manager - ServiceNow Integration

This document describes how to integrate the ServiceNow developer instance with Access Manager through SAML 2.0.

Signing Up and Building Developer Instance

To sign up and start building a developer instance, perform the following steps:

  1. Sign up to https://developer.servicenow.com/dev.do#!/home
  2. Click Start building/Request Instance for creating a new dev instance in any given location, based on availability. Mask the name in the below screenshot
  3. Upon successful creation of the instance, My Instance screen is displayed. Click  User icon dropdown > Manage instance password.
  4. Ensure to select the USER ROLE as admin and INSTANCE STATUS as Online. Additionally, view the highlighted items below.
  5. Following are the Instance details:
  1. Click Start Building link. You are redirected to the developer instance,
  2. For federation login, install Multi-provider SSO plugin
    https://docs.servicenow.com/en-US/bundle/utah-platform-security/page/integrate/single-sign-on/task/t_ActivateMultipleProviderSSO.html
  3. Upon successful installation of Multi-provider SSO plugin, Activate the Plugin.
  4. Check plugin availability status by navigating to Go to All > Search Multi-Provider SSO

Configuring NetIQ Access Manager as Identity Provider in ServiceNow

To configure NetIQ Access Manager as Identity Provider in ServiceNow, perform the following steps:

  1. Login to Service instance https://dev91608.service-now.com/
  2. Go to All > Multi-Provider SSO > Identity Providers.
  3. Click New.
  4. Select What kind of SSO are you trying to create? as SAML
  5. Copy the Identity Provider meta data from IDP portal https://<IDP IP/DNS>:<Port>/nidp/saml2/metatdata
    g.) https://sso.namservicenow.com:8443/nidp/saml2/metadata
  6. Paste the metadata in the Enter the XML Click Import

  1. From the available metadata, the following fields are  prepopulated:,
  2. Update the following information in the Identity Provider Form,
  • Name – Provide the name relevant to your configuration.
  • NameID Policy - from urn:oasis:names:tc:SAML:2.0:nameid-format:transient to  urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
  • Encryption and Signing tab,
    • Signing/Encryption Key Alias : saml2sp
    • Signing/Encryption Key Password: saml2sp
    • Sign LogoutRequest : dick the checkbox.
  • User Provisioning tab,
    • Deselect Auto Provisioning User
    • Deselect Update User Record Upon Each Login
  • Advanced Tab,
    • Ensure to provide accurate field ID in User Field. Here, we are using email (You  can use any field the from directory service which is similar to the ServiceNow user form)
  • eSignature Approval (Optional): No changes required.

  1. Click update.
  2. Edit the Identity provider. Click Generate Metadata,
  3. Copy the entire content as metadata and save as separate file i.e.) servicenow_metadata.xml
  4. Copy the X509 certificate value and save as .pem file as shown below, and close the new metadata window.

.pem file format: i.e. servicenowx509.pem

   

    -----BEGIN CERTIFICATE-----

    [your X509Certificate value]

    -----END CERTIFICATE-----


Configuring ServiceNow as Service Provider in NetIQ Access Manager (SAML 2.0)

To configure ServiceNow as Service provider in NetIQ Access Manager (SAML 2.0), perform the following steps:

  1. Login to NetIQ Access Manager Admin console
  2. Navigate to Identity Servers >  Edit  > SAML 2.0 > New > Service Provider
  3. Select the following options,
    1. Provider Type: General
    2. Source: Metadata Text
    3. Name: any (e.g., ServiceNow)
    4. Text: Copy the content from servicenow_metadata.xml file and paste here. (Make sure, it shouldn’t have the unwanted spaces)
  4. Click Next and Finish.
  5. Check if the service provider is successfully added or not.
  6. Edit ServiceNow service provider and make the following changes,
    1. Attributes tab, select Attribute set as Email > Send with Authentication as Ldap Atttribute: mail [Ldap Atttribute Profile]
    2. Authentication Response tab,
      1. Binding as Post
      2. Uncheck Persistent and Transient,
      3. check Email and select Ldap Atttribute: mail [Ldap Atttribute Profile]
  1. Click Apply and Ok and update the clusters (Now cluster health may show as Yellow)
  2. Navigate to Services > Certificates > Trusted Roots. Provide the name and then import X.509 certificate(servicenowx509.pem)

 

  1. Add the ServiceNow certificate from Trust Roots to Trust Stores. Select Trust store and OCSP Trust Store. Click OK and Close.
  2. Re-Update IDP cluster. Check the cluster’s health, it should be displayed in GREEN.

Testing the Connection between Identity Provider and Service Provider

To test the connection between IDP and SP, following are the pre-requisites:

  1. Create users in both access manager edirectory/Active directory and Servicenow > All > search Users
  2. Ensure the users are mapped with a valid email id

Note: If you have selected NameID policy as emailAddress, you should map the same  email ID, else login will not work in both IDP/SP initiated flow.

e.g.)

Access Manager:

Servicenow:

Steps:

  1. Navigate to Service now developer instance > Search Multi-Provider SSO > Identity Providers
  2. Click/Edit Identity providers , i.e.) namtestservicenow
  3. Click Test Connection. Enter the identity provider credentials.
  4. Check the test results. All the test results should be displayed in GREEN
  5. Close the test results page and Activate the service.
  6. Navigate to All > Multi-Provider SSO > Account recovery Properties (Optional)
    Enable account recovery option else uncheck and save the settings.
  1. Navigate to All > Multi-Provider SSO > Administration > Properties > Check
    Enable Multiple provider SSO and change the textbox field from user_name to email and save the settings.

 IDP Initiated Login:

  1. Login to Access Manager Admin console
  2. Create AppMarks for SAML Application. Name it as ServiceNow.
  3. Login (user as alice) to IDP portal https://sso.namservicenow.com:8443/nidp/portal

  4. You are successfully logged in.

SAML tracer logs:

 

SP Initiated Login:

  1. Launch the browser and hit the servicenow developer instance URL: https://dev91608.service-now.com/navpage.do
  2. Enter the credentials in the IDP portal
  3. Check the login status. You are successfully logged in.

SAML Request and Response:

 

Labels:

How To-Best Practice
Comment List
Related
Recommended