How to Integrate NetIQ Access Manager with ServiceNow IT Service Management Software



ServiceNow is a SaaS provider of IT service management (ITSM) software. Using NetIQ Access Manager (NAM) with, corporate users will be allowed to use their existing corporate LDAP credentials for single sign-on access to as well as any web applications protected by NAM.

This cool solution will show you how to integrate ServiceNow into your NAM implementation using a federated authentication via SAML 2.0. By using SAML 2.0, your users authenticate to NAM as they typically do using their existing LDAP credentials provided by your corporate directory. The application then authenticates users via SAML without the need to synchronize passwords with

It is assumed that the corporate users accessing ServiceNow via the NetIQ Identity Server using SAML already exist on the ServiceNow site. If you would like to automatically provision, deprovision, and manage the identities, you can use NetIQ CloudAccess, but that is out of scope for this article.

Note: ServiceNow has a great set of instructions for SAML integration at Note that once SAML is enabled, all authentications for ServiceNow are done at the Identity Server. If you don't want to use SAML to login use: http://<instance>

Setup Details

NetIQ Access Manager Identity Server setup details

  1. Create SP and manually enter the metadata (available from Service Now SAML2 Single Sign On setup menu -> Metadata)


    Note: the certificate field displayed after clicking next below will appear as empty. This is normal as the ServiceNow SP metadata does not include any signing or encryption certs. Simply click OK to continue.

  • Edit the newly created ServiceNow SAML2 Service Provider and

    1. Define the Attribute set the NAM IDP will use to send in the assertion: Under the ‘Attributes’ page

      • Click on Attribute Set drop down menu and select <New Attribute Set> option

    2. Create a new Attribute set called ServiceNowAttrSet and click next

  • Create a new attribute where the ‘Local Attribute’ is the ‘LDAP attribute: mail’ available in the drop down. Leave all remaining fields as default settings.


  • Define the Authentication Response settings the NAM IDP will send in the assertion: Under the ‘Authentication Response’ page, change

    • Binding to Post

  • Disable both Persistent and Transient Name Identifiers

  • Enable the E-mail NameIdentifier and, using the drop down “Value” menu select the Ldap Attribute:mail [LDAP Attribute Profile]


  • [Optional] If you want to set an IDP initiated single sign on setup, select the ‘InterSite Transfer Service’ option and add the ID of ServiceNow with the Target of your assigned serviceNow access URL.


  • Save changes and update the Identity Server

  • Export the Identity Server signing certificate by Navigating to Security -> Certificates in iManager and clicking on the signing certificate used by the Identity Server cluster configuration – typically nidp-signing.

    Select the certificate and click on ‘Export public Certificate -> PEM Cut/Paste buffer’ and paste contents to temporary file.

ServiceNow SAML2 Service Provider Setup Details

  1. Log in to your ServiceNow account with your ServiceNow System Administrator credentials.

  • Navigate to the "SAML 2 Single Sign-on" -> Properties panel visible on the Left hand side of the screen


  • Modify the following fields with the information from the NAM Identity Server:

    • Enable external authentication: Yes

  • Identity Provider URL which will issue the SAML2 security token with user info:



  • The base URL to the Identity Provider's AuthnRequest service. The AuthnRequest will be posted to this URL as the SAMLRequest parameter:


  • The base URL to the Identity Provider's SingleLogoutRequest service. The LogoutRequest will be posted to this URL as the SAMLRequest parameter:


  • The protocol binding for the Identity Provider's SingleLogoutRequest service. (Value can be either "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".) parameter:


  • When SAML 2.0 single sign-on fails because the session is not authenticated, or this is the first login, redirect to this URL. This is the base URL where the initial SAML 2.0 AuthnRequest is sent using the SAMLRequest parameter:


There are some Service Provider properties that are configurable. These can all remain as the default settings for this setup. The only time that these would need to be changed are if

  • Want Service Now SP to include a specific authentication type when sending it’s request to the Identity server

  • SP must authenticate the user based on a different identifier to the default email attribute


  • Navigate to the "SAML 2 Single Sign-on" -> Certificate panel.

    Edit the SAML 2.0 entry and replace the PEM certificate information with the signing-cert that you saved above from the NAM configuration is using (can simply cut and paste in here). Save the certificate change via the ‘Update’ option.


Testing the configuration

  1. SP Initiated SSO use case: This is the typical use case that will be setup, where the user will try and access the ServiceNow SP, and be redirected to the Identity Server to authenticate. The SAML Tracer Firefox plugin is a very useful tool to validate the SAML communication through the browser and troubleshoot any issues.

  2. Verify that you get redirected to the Identity Server login page where you enter your credentials

  • Verify that you get automatically redirected and logged in to your ServiceNow target URL as the user you logged in as

The SAML tracer will show the redirect from the SP to the Identity Server and decode the corresponding SAML AuthnRequest

<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"

<saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"></saml2:Issuer>
<saml2p:NameIDPolicy AllowCreate="true"
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />


After the user enters their credentials, the SAML tracer tool will decode the Authentication Response from the Identity Server that includes the assertion. This will typically look like (oncluded snippet of subject header only)

<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="SNCb7c7ef5a0f3f3f20ede0dcbe26093a00"
<saml:Conditions NotBefore="2013-05-15T09:22:48Z"
<saml:AuthnStatement AuthnInstant="2013-05-15T09:27:48Z"

The following screenshot shows the ServiceNow page presented after logging it to my NAM Identity Server as user ncashell (whose email address is The above assertion shows this NameID value, which the ServiceNow SP uses to SSO the user.


  • IDP Initiated SSO Use case: This use case typically gets used when a Portal has links to a list of internal applications. By selecting one such link pointing to ServiceNow, users can login to the Identity server and get redirected to the ServiceNow SP with the required credentials.

  • Verify that you get redirected to the Identity Server login page where you enter your credentials

  • Verify that you get automatically redirected and logged in to your ServiceNow target URL as the user you logged in as.


How To-Best Practice
Comment List