Introduction

ServiceNow is a SaaS provider of IT service management (ITSM) software. Using NetIQ Access Manager (NAM) with service-now.com, corporate users will be allowed to use their existing corporate LDAP credentials for single sign-on access to service-now.com as well as any web applications protected by NAM.

This cool solution will show you how to integrate ServiceNow into your NAM implementation using a federated authentication via SAML 2.0. By using SAML 2.0, your users authenticate to NAM as they typically do using their existing LDAP credentials provided by your corporate directory. The service-now.com application then authenticates users via SAML without the need to synchronize passwords with service-now.com.

It is assumed that the corporate users accessing ServiceNow via the NetIQ Identity Server using SAML already exist on the ServiceNow site. If you would like to automatically provision, deprovision, and manage the service-now.com identities, you can use NetIQ CloudAccess, but that is out of scope for this article.

Note: ServiceNow has a great set of instructions for SAML integration at http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile. Note that once SAML is enabled, all authentications for ServiceNow are done at the Identity Server. If you don’t want to use SAML to login use: http://<instance>.service-now.com/side_door.do

Setup Details

NetIQ Access Manager Identity Server setup details

  1. Create SP and manually enter the metadata (available from Service Now SAML2 Single Sign On setup menu -> Metadata)

    28286-1

    Note: the certificate field displayed after clicking next below will appear as empty. This is normal as the ServiceNow SP metadata does not include any signing or encryption certs. Simply click OK to continue.

  2. Edit the newly created ServiceNow SAML2 Service Provider and
    1. Define the Attribute set the NAM IDP will use to send in the assertion: Under the ‘Attributes’ page
      • Click on Attribute Set drop down menu and select <New Attribute Set> option
      • Create a new Attribute set called ServiceNowAttrSet and click next
      • Create a new attribute where the ‘Local Attribute’ is the ‘LDAP attribute: mail’ available in the drop down. Leave all remaining fields as default settings.

      28286-2

    2. Define the Authentication Response settings the NAM IDP will send in the assertion: Under the ‘Authentication Response’ page, change
      • Binding to Post
      • Disable both Persistent and Transient Name Identifiers
      • Enable the E-mail NameIdentifier and, using the drop down “Value” menu select the Ldap Attribute:mail [LDAP Attribute Profile]

      28286-3

    3. [Optional] If you want to set an IDP initiated single sign on setup, select the ‘InterSite Transfer Service’ option and add the ID of ServiceNow with the Target of your assigned serviceNow access URL.

      28286-4

    4. Save changes and update the Identity Server
    5. Export the Identity Server signing certificate by Navigating to Security -> Certificates in iManager and clicking on the signing certificate used by the Identity Server cluster configuration – typically nidp-signing.

      Select the certificate and click on ‘Export public Certificate -> PEM Cut/Paste buffer’ and paste contents to temporary file.

ServiceNow SAML2 Service Provider Setup Details

  1. Log in to your ServiceNow account with your ServiceNow System Administrator credentials.
  2. Navigate to the “SAML 2 Single Sign-on” -> Properties panel visible on the Left hand side of the screen

    28286-5

  3. Modify the following fields with the information from the NAM Identity Server:
    • Enable external authentication: Yes
    • Identity Provider URL which will issue the SAML2 security token with user info:

      https://<IDPBASEURL>/saml2/metadata

      eg. https://nam32phys.lab.novell.com:8443/nidp/saml2/metadata
    • The base URL to the Identity Provider’s AuthnRequest service. The AuthnRequest will be posted to this URL as the SAMLRequest parameter:

      https://<IDPBASEURL>/saml2/sso
    • The base URL to the Identity Provider’s SingleLogoutRequest service. The LogoutRequest will be posted to this URL as the SAMLRequest parameter:

      https://<IDPBASEURL>/app/logout
    • The protocol binding for the Identity Provider’s SingleLogoutRequest service. (Value can be either “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect” or “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST”.) parameter:

      urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Post
    • When SAML 2.0 single sign-on fails because the session is not authenticated, or this is the first login, redirect to this URL. This is the base URL where the initial SAML 2.0 AuthnRequest is sent using the SAMLRequest parameter:

      https://<IDPBASEURL>/saml2/sso
    • URL to redirect users after logout, typically back to the portal that enabled the SSO (e.g. http://portal.companya.com/logout)

      external_logout_complete.do

    There are some Service Provider properties that are configurable. These can all remain as the default settings for this setup. The only time that these would need to be changed are if

    • Want Service Now SP to include a specific authentication type when sending it’s request to the Identity server
    • SP must authenticate the user based on a different identifier to the default email attribute

    28286-6

  4. Navigate to the “SAML 2 Single Sign-on” -> Certificate panel.

    Edit the SAML 2.0 entry and replace the PEM certificate information with the signing-cert that you saved above from the NAM configuration is using (can simply cut and paste in here). Save the certificate change via the ‘Update’ option.

    28286-7

Testing the configuration

  1. SP Initiated SSO use case: This is the typical use case that will be setup, where the user will try and access the ServiceNow SP, and be redirected to the Identity Server to authenticate. The SAML Tracer Firefox plugin is a very useful tool to validate the SAML communication through the browser and troubleshoot any issues.
    • From a browser, access the ServiceNow domain URL your users use eg. https://dev004.service-now.com/navpage.do
    • Verify that you get redirected to the Identity Server login page where you enter your credentials
    • Verify that you get automatically redirected and logged in to your ServiceNow target URL as the user you logged in as

    The SAML tracer will show the redirect from the SP to the Identity Server and decode the corresponding SAML AuthnRequest

    <saml2p:AuthnRequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"
                         AssertionConsumerServiceURL="https://dev004.service-now.com/navpage.do"
                         ForceAuthn="false"
                         ID="SNCb7c7ef5a0f3f3f20ede0dcbe26093a00"
                         IsPassive="false"
                         IssueInstant="2013-05-15T09:27:32.257Z"
                         ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
                         ProviderName="https://dev004.service-now.com/navpage.do"
                         Version="2.0"
                         >
    
                        <saml2:Issuer xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">https://dev004.service-now.com</saml2:Issuer>
                       <saml2p:NameIDPolicy AllowCreate="true"
                             Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress" />
    
                        </saml2p:AuthnRequest>

    After the user enters their credentials, the SAML tracer tool will decode the Authentication Response from the Identity Server that includes the assertion. This will typically look like (oncluded snippet of subject header only)

            <saml:Subject>
                <saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
                             NameQualifier="https://nam32phys.lab.novell.com:8443/nidp/saml2/metadata"
                             SPNameQualifier="https://dev004.service-now.com"
                             >ncashell@novell.com</saml:NameID>
                <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
                    <saml:SubjectConfirmationData InResponseTo="SNCb7c7ef5a0f3f3f20ede0dcbe26093a00"
                                                  NotOnOrAfter="2013-05-15T09:32:48Z"
                                                  Recipient="https://dev004.service-now.com/navpage.do"
                                                  />
                </saml:SubjectConfirmation>
            </saml:Subject>
            <saml:Conditions NotBefore="2013-05-15T09:22:48Z"
                             NotOnOrAfter="2013-05-15T09:32:48Z"
                             >
                <saml:AudienceRestriction>
                    <saml:Audience>https://dev004.service-now.com</saml:Audience>
                </saml:AudienceRestriction>
            </saml:Conditions>
            <saml:AuthnStatement AuthnInstant="2013-05-15T09:27:48Z"
                                 SessionIndex="idsc9yCEd1oX8assOr4TQJ0kt4i5c"
                                 >
                <saml:AuthnContext>
                    <saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef>
                    <saml:AuthnContextDeclRef>secure/name/password/uri</saml:AuthnContextDeclRef>
                </saml:AuthnContext>
            </saml:AuthnStatement>
        </saml:Assertion>
    </samlp:Response>

    The following screenshot shows the ServiceNow page presented after logging it to my NAM Identity Server as user ncashell (whose email address is ncashell@novell.com). The above assertion shows this NameID value, which the ServiceNow SP uses to SSO the user.

    28286-8

  2. IDP Initiated SSO Use case: This use case typically gets used when a Portal has links to a list of internal applications. By selecting one such link pointing to ServiceNow, users can login to the Identity server and get redirected to the ServiceNow SP with the required credentials.
    • From a browser, access the Intersite Transfer Service URL of your IDP server passing in the ID of ServiceNow eg. https://nam32phys.lab.novell.com:8443/nidp/saml2/idpsend?id=ServiceNow
    • Verify that you get redirected to the Identity Server login page where you enter your credentials
    • Verify that you get automatically redirected and logged in to your ServiceNow target URL as the user you logged in as.
3 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 53 votes, average: 5.00 out of 5 (3 votes, average: 5.00 out of 5)
You need to be a registered member to rate this post.
Loading...

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

One Comment

  • pmckeith pmckeith says:

    This Cool Solution has served us well over the years, but now the current version Access Manager simplifies configuration by providing a ServiceNow pre-configured connector (one of hundreds) in the Access Manager Application catalog. Check it out!

By: ncashell
May 29, 2013
11:23 am
Reads:
8,576
Score:
5
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Sentinel Supported Troubleshooting Workflow