Okta

How to Configure SAML 2.0 for ServiceNow

Contents


Supported Features

The Okta/ServiceNow SAML integration currently supports the following features:


For more information on the listed features, visit the Okta Glossary.


Prerequisites

Follow the steps below to complete the installation of the prerequisites:

  1. Login to ServiceNow as the system administrator.

  2. Search for plugins in the Filter navigator (top left input field).

  3. Search for com.snc.integration.sso.multi on the plugins page:

    Search for com.snc.integration.sso.multi on the plugins page

  4. Click Install for the following plugins:

    • Multiple Provider Single Sign-On Enhanced UI

    • Multiple Provider Single Sign-On

  5. Install Multi-provider SSO Plugin in ServiceNow and install Enhanced UI in ServiceNow

  6. Search for Multi-Provider SSO in the Filter navigator (top left input field). Click Properties, then select Yes for Enable Multiple provider SSO, as shown below:

    snow_new_c.png

  7. Click Save.

You have successfully completed all the pre-requisites, and can now proceed with configuring SAML by following the steps in the next section.


Configuration Steps

  1. Login to ServiceNow as the system administrator.

  2. Search for Multi-Provider SSO in the Filter navigator (top left input field). Select Identity Providers.

  3. Click New:

  4. snow_new_d.png

  5. You are asked what kind of SSO you are trying to create. Select SAML.

  6. An Import Identity Provider Metadata pop-up dialog appears.

  7. Copy and paste the following Metadata URL:

    Sign into the Okta Admin dashboard to generate this value.

  8. Click Import.

  9. snow_new_e.png

  10. A page opens with auto-populated SAML settings.

  11. Check Default (if you want this SAML configuration to be the default).

    Refer to Multiple IdP section if you have multiple IdPs enabled (this affects the SP-initiated flow).

  12. Scroll down and select the Encryption and Signing tab.

  13. Signing/Encryption Key Alias: Set to saml2sp (by default, the integration looks for the alias saml2sp).

    Note: If you created a different alias name for the SAML 2.0 keystore, enter that; otherwise, use saml2sp.

  14. Signing/Encryption Key Password: Enter the password to your SAML 2.0 Keystore. By default, the password is the same as the default alias name.

  15. snow_new_f.png

  16. Next, select the User Provisioning tab and uncheck Auto Provisioning User and Update User Record Upon Each Login.

  17. snow_new_g.png

  18. Next, select the Advanced tab.

  19. In the user field, specify the ServiceNow user attributes that you will be matching against Okta with SAML. By default, this is user_name, but can be configured to match other attributes such as email, depending on your use-case.

    Note: You can select which field from the user profile on the SNOW side they want to match to, as the NAME id in SAML. It ca be email, username, or any other field on the user record.

  20. Check Create AuthnContextClass.

    snow_new_h.png

  21. If you would like to turn on advanced features such as Single Logout and/or Force Authentication, follow the steps outlined in the Advanced Settings section.

  22. Now you need to test the SAML connection. Scroll up and click Test Connection on the top right. Fix any misconfigured values and ensure all the tests pass.

  23. Once the SAML tests pass, click Activate to activate the Identity Provider you just set up.

  24. Done!


Advanced Settings

Force Authentication

  1. Go to the Advanced tab and check Force AuthnRequest if you want to enable Force Authentication.

  2. snow_new_i.png

  3. In Okta, make sure you have unchecked the Disable Force Authentication option on the Sign On tab.

  4. Click Update.

  5. Done!


Single Log Out

  1. Enter the following Identity Provider's SingleLogoutRequest URL:

    Sign into the Okta Admin Dashboard to generate this variable.

    snow_new_aa

  2. Scroll down and select the Encryption and Signing tab.

  3. Check Sign Logout Request.

  4. Select the Advanced tab. Change the Protocol Binding for the IDP's SingleLogoutRequest to the following:

    urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

    snow_new_bb

  5. Click Generate Metadata.

  6. The new metadata tab appears.

  7. Save the X509Certificate value.

  8. snow_new_k.png

  9. Create a file in a text editor in the following format:

    -----BEGIN CERTIFICATE-----
    
    [your x509 certificate value]
    
    -----END CERTIFICATE-----
  10. Save the text file as servicenow_slo.cert.

  11. Close the metadata tab.

  12. In Okta, select the Sign On tab for the ServiceNow app, then click Edit.

    • Check the Enable Single Logout box.

    • Upload the servicenow_slo.cert file you saved earlier (step 11, above).

    • Click Save.

SP-initiated SAML

Determine which use case:

At this point, SAML single sign-on is configured for IdP-initiated flows from Okta into ServiceNow. To allow users to leverage Single Sign-On from the SP-Initiated flow (when they go directly to ServiceNow to log in), use the following instructions.

Note: SP-Initiated SAML can be enabled for an individual user or an entire company of users in ServiceNow. However, it cannot be enabled for specific groups of users.

  1. Navigate to Multi-Provider SSO > Identity Providers.

  2. Right-click an identity provider record and select Copy sys_id.

  3. Save the sys_id value. You will need to use this value for the SP-initiated flow.

  4. snow_new_n.png

  5. If you would like to enable SP-Initiated SAML on a user by user basis instead of for all users within a given company, do the following:

    • Navigate to the Users page from the Filter navigator at the top left of the page.

    • Select any given user to go the user details page – the specific user you choose does not matter.

    • From menu icon (see below), select Configure, then Form Design.

    • snow_new_o.png

    • From the Fields sidebar on the left, select and drag the SSO Source field to the User [sys_user] table in the middle of the page as the last attribute in the list.

    • snow_new_p.png

    • Click Save.

    • To enable SP-Initiated SAML for a specific user, navigate back to the Users page from the Filter Navigator.

    • Select your specific user to navigate to the user details page.

    • In the SSO Source field, type sso:. Then paste the sys_id from the Identity Provider you created with the Multi-Provider SSO plugin. Choose Update to finish. The field should look something like this:

    • snow_new_q.png

  6. If you would like to enable SP-Initiated SAML for all users within a given company instead of on a user-by-user basis, do the following:

    • Navigate to the My Company page from the Filter Navigator at the top left of the page.

    • From the menu icon (see below), select Configure, then Form Design for the Company.

    • snow_new_r.png

    • From the Fields sidebar on the left, select and drag the SSO Source field to the Company [core_company] table in the middle of the page as the last attribute in the list.

    • snow_new_s.png

    • Click Save.

    • To now apply SP-Initiated SAML to all users in a specific company, navigate back to the My Company page from the Filter Navigator.

    • In the SSO Source field, type sso:. Paste the sys_id from the Identity Provider you created with the Multi-Provider SSO plugin. Choose Update to finish. The field should look something like this:

    • snow_new_t.png

Using SP-initiated SAML

Your users can now begin using SP-Initiated SAML with ServiceNow in two different ways.

First, when they navigate to the default ServiceNow login page, they can choose Use external login and then enter in their ServiceNow username in order to be redirected to Okta for SSO.

snow_new_u.png

Alternatively, your users can go directly to the following url: https://[yourServiceNowDomain]/login_with_sso.do?glide_sso_id=[sys_id value]