ServiceNow is a SaaS provider of IT service management (ITSM) software. Using NetIQ Access Manager (NAM) with service-now.com, corporate users will be allowed to use their existing corporate LDAP credentials for single sign-on access to service-now.com as well as any web applications protected by NAM.
This cool solution will show you how to integrate ServiceNow into your NAM implementation using a federated authentication via SAML 2.0. By using SAML 2.0, your users authenticate to NAM as they typically do using their existing LDAP credentials provided by your corporate directory. The service-now.com application then authenticates users via SAML without the need to synchronize passwords with service-now.com.
It is assumed that the corporate users accessing ServiceNow via the NetIQ Identity Server using SAML already exist on the ServiceNow site. If you would like to automatically provision, deprovision, and manage the service-now.com identities, you can use NetIQ CloudAccess, but that is out of scope for this article.
Note: ServiceNow has a great set of instructions for SAML integration at http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile. Note that once SAML is enabled, all authentications for ServiceNow are done at the Identity Server. If you don’t want to use SAML to login use: http://<instance>.service-now.com/side_door.do
Note: the certificate field displayed after clicking next below will appear as empty. This is normal as the ServiceNow SP metadata does not include any signing or encryption certs. Simply click OK to continue.
Select the certificate and click on ‘Export public Certificate -> PEM Cut/Paste buffer’ and paste contents to temporary file.
There are some Service Provider properties that are configurable. These can all remain as the default settings for this setup. The only time that these would need to be changed are if
Edit the SAML 2.0 entry and replace the PEM certificate information with the signing-cert that you saved above from the NAM configuration is using (can simply cut and paste in here). Save the certificate change via the ‘Update’ option.
The SAML tracer will show the redirect from the SP to the Identity Server and decode the corresponding SAML AuthnRequest
<saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" AssertionConsumerServiceURL="https://dev004.service-now.com/navpage.do" ForceAuthn="false" ID="SNCb7c7ef5a0f3f3f20ede0dcbe26093a00" IsPassive="false" IssueInstant="2013-05-15T09:27:32.257Z" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" ProviderName="https://dev004.service-now.com/navpage.do" Version="2.0" > <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://dev004.service-now.com</saml2:Issuer> <saml2p:NameIDPolicy AllowCreate="true" Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" /> </saml2p:AuthnRequest>
After the user enters their credentials, the SAML tracer tool will decode the Authentication Response from the Identity Server that includes the assertion. This will typically look like (oncluded snippet of subject header only)
<saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" NameQualifier="https://nam32phys.lab.novell.com:8443/nidp/saml2/metadata" SPNameQualifier="https://dev004.service-now.com" >email@example.com</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData InResponseTo="SNCb7c7ef5a0f3f3f20ede0dcbe26093a00" NotOnOrAfter="2013-05-15T09:32:48Z" Recipient="https://dev004.service-now.com/navpage.do" /> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2013-05-15T09:22:48Z" NotOnOrAfter="2013-05-15T09:32:48Z" > <saml:AudienceRestriction> <saml:Audience>https://dev004.service-now.com</saml:Audience> </saml:AudienceRestriction> </saml:Conditions> <saml:AuthnStatement AuthnInstant="2013-05-15T09:27:48Z" SessionIndex="idsc9yCEd1oX8assOr4TQJ0kt4i5c" > <saml:AuthnContext> <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef> <saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDeclRef> </saml:AuthnContext> </saml:AuthnStatement> </saml:Assertion> </samlp:Response>
The following screenshot shows the ServiceNow page presented after logging it to my NAM Identity Server as user ncashell (whose email address is firstname.lastname@example.org). The above assertion shows this NameID value, which the ServiceNow SP uses to SSO the user.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.