How to Configure SAML 2.0 for ServiceNow

Contents

• Supported Features
• Prerequisites
• Configuration Steps
• Advanced Settings
  • Force Authentication
  • Single Logout
  • SP-initiated SAML

---

Supported Features

The Okta/ServiceNow SAML integration currently supports the following features:

• IdP-initiated SSO
• SP-initiated SSO
• SP-Initiated Single Logout (optional) (Advanced Settings)
• Force Authentication (Advanced Settings)

For more information on the listed features, see the Okta Glossary.

---

Prerequisites

• Install Multi-provider SSO Plugin in ServiceNow

• Install Enhanced UI in ServiceNow

• Enable Multi-Provider SSO in ServiceNow

Follow the steps below to complete the installation of the prerequisites:

1. Login to ServiceNow as the system administrator.

2. Search for plugins in the Filter navigator (top left input field).

3. Search for com.snc.integration.sso.multi on the plugins page.

4. Click Install for the following plugins:

   • Multiple Provider Single Sign-On Enhanced UI

   • Multiple Provider Single Sign-On

5. Search for Multi-Provider SSO in the Filter navigator (top left input field). Click Properties, then select Yes for Enable Multiple provider SSO.

6. Click Save.

You've successfully completed all the pre-requisites, and can now proceed with configuring SAML by following the steps in the next section.

---

Configuration Steps

1. Login to ServiceNow as a system administrator.

2. Search for Multi-Provider SSO in the Filter navigator (top left input field), and then elect Identity Providers.

3. Click New.

4. You're asked what kind of SSO you are trying to create. Select SAML.

5. An Import Identity Provider Metadata pop-up dialog appears.

6. Copy and paste the following Metadata URL:

   Sign in to the Okta Admin Console to generate this value.

7. Click Import.

8. A page opens with auto-populated SAML settings.

9. Check Default (if you want this SAML configuration to be the default).

   Refer to Multiple IdP section if you have multiple IdPs enabled (this affects the SP-initiated flow).

10. Scroll down and select the Encryption and Signing tab.

11. Signing/Encryption Key Alias: Set to saml2sp (by default, the integration looks for the alias saml2sp).

    Note: If you created a different alias name for the SAML 2.0 keystore, enter that; otherwise, use saml2sp.

12. Signing/Encryption Key Password: Enter the password to your SAML 2.0 Keystore. By default, the password is the same as the default alias name.

13. Select the User Provisioning tab and uncheck Auto Provisioning User and Update User Record Upon Each Login.

14. Select the Advanced tab.

15. In the user field, specify the ServiceNow user attributes that you will be matching against Okta with SAML. By default, this is user_name, but can be configured to match other attributes such as email, depending on your use-case.

    Note: You can select which field from the user profile on the SNOW side they want to match to, as the NAME id in SAML. It ca be email, username, or any other field on the user record.

Check Create AuthnContextClass.

16. If you want to turn on advanced features such as Single Logout and/or Force Authentication, follow the steps outlined in the Advanced Settings section.

17. Test the SAML connection. Scroll up and click Test Connection on the top right. Fix any misconfigured values and ensure all the tests pass.

18. Once the SAML tests pass, click Activate to activate the Identity Provider you just set up.

19. Done!

---

Advanced Settings

• Force Authentication

• Single Log out

• SP-initiated SAML

Force Authentication

1. Go to the Advanced tab and check Force AuthnRequest.

2. In Okta, make sure you have unchecked the Disable Force Authentication option on the Sign On tab.

3. Click Update.

4. Done!

Single Log Out

1. Enter the following Identity Provider's SingleLogoutRequest URL:

   Sign in to the Okta Admin Console to generate this variable.

2. Scroll down and select the Encryption and Signing tab.

3. Check Sign Logout Request.

4. Select the Advanced tab and change the Protocol Binding for the IDP's SingleLogoutRequest to the following:

   urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

5. Click Generate Metadata.

6. The new metadata tab appears.

7. Save the X509Certificate value.

8. Create a file in a text editor in the following format:

   -----BEGIN CERTIFICATE-----
   [your x509 certificate value]
   -----END CERTIFICATE-----

9. Save the text file as servicenow_slo.cert.

10. Close the metadata tab.

11. In Okta, select the Sign On tab for the ServiceNow app, then click Edit.

    • Check the Enable Single Logout box.

    • Upload the servicenow_slo.cert file you saved earlier (step 11, above).

    • Click Save.

SP-initiated SAML

Determine which use case:

• Single IdP
• Multiple IdP - in this case, they need to set the sys_id for anyone who's not using the default IdP. sys_id doesn't need to be set for any user who’s going to go through the default IdP.

At this point, SAML single sign-on is configured for IdP-initiated flows from Okta into ServiceNow. To allow users to leverage Single Sign-On from the SP-Initiated flow (when they go directly to ServiceNow to log in), use the following instructions.

Note: SP-Initiated SAML can be enabled for an individual user or an entire company of users in ServiceNow. However, it can't be enabled for specific groups of users.

1. Go to Multi-Provider SSO > Identity Providers.

2. Right-click an identity provider record and select Copy sys_id.

3. Save the sys_id value. You'll need to use this value for the SP-initiated flow.

4. If want to enable SP-Initiated SAML on a user by user basis instead of for all users within a given company, do the following:

   • Go to the Users page from the Filter navigator at the top left of the page.

   • Select any given user to go the user details page – the specific user you choose doesn't matter.

   • From menu icon, select Configure, then Form Design.

   • From the Fields sidebar on the left, select and drag the SSO Source field to the User [sys_user] table in the middle of the page as the last attribute in the list.

   • Click Save.

   • To enable SP-Initiated SAML for a specific user, go back to the Users page from the Filter Navigator.

   • Select your specific user to navigate to the user details page.

   • In the SSO Source field, type sso: and then paste the sys_id from the Identity Provider you created with the Multi-Provider SSO plugin. Choose Update to finish.

5. If you want to enable SP-Initiated SAML for all users within a given company instead of on a user-by-user basis, do the following:

   • Go to the My Company page from the Filter Navigator at the top left of the page.

   • From the menu icon, select Configure, then Form Design for the Company.

   • From the Fields sidebar on the left, select and drag the SSO Source field to the Company [core_company] table in the middle of the page as the last attribute in the list.

   • Click Save.

   • To apply SP-Initiated SAML to all users in a specific company, go back to the My Company page from the Filter Navigator.

   • In the SSO Source field, type sso:. Paste the sys_id from the Identity Provider you created with the Multi-Provider SSO plugin. Choose Update to finish.

Using SP-initiated SAML

Your users can now begin using SP-Initiated SAML with ServiceNow in two different ways.

First, when they navigate to the default ServiceNow login page, they can choose Use external login and then enter in their ServiceNow username in order to be redirected to Okta for SSO.

Alternatively, your users can go directly to the following url: https://[yourServiceNowDomain]/login_with_sso.do?glide_sso_id=[sys_id value]