ServiceNow SSO integration with Identity Cloud as SAML identity provider
The purpose of this article is to provide information on how to configure ForgeRock Identity Cloud to integrate with ServiceNow® using SAML2 federation for Single Sign-On (SSO). It assumes Identity Cloud is acting as the identity provider (IdP) and ServiceNow as the service provider (SP).
Overview
The steps in this article assume that you have already set up a matching test user in Identity Cloud and ServiceNow or that you are using ForgeRock's ServiceNow connector for user provisioning. If you require auto-provisioning, you can find the details in the ServiceNow documentation.
Steps involved:
Prerequisites
- You have a working Identity Cloud tenant.
- You have a ServiceNow administrator account.
- You have configured an account recovery user on your ServiceNow instance. Account recovery is required when SSO is enabled.
- You have set up a test user in Identity Cloud and ServiceNow or you are using ForgeRock's ServiceNow connector for provisioning users. See ServiceNow connector for further information.
Creating a Circle of Trust (COT)
- In the Identity Cloud admin UI, go to Native Consoles > Access Management > Applications > Federation > Circles of Trust and click Add Circle of Trust.
- Enter a name (no spaces) for your new COT, for example, ForgeRockCOT, and click Create.
- Add a description for the COT and click Save Changes.
Creating the hosted IdP in Identity Cloud
Create a hosted IdP
- In the Identity Cloud admin UI, go to Native Consoles > Access Management > Applications > Federation > Entity Providers and click Add Entity Provider followed by Hosted.
- Complete the following configuration:
- Entity ID: Enter an ID (no special characters or spaces) for your hosted service provider, for example, ForgeRockIDP.
- Entity Provider Base URL: Verify the default URL is correct. This URL is used for all SAML2 related endpoints, so ensure other entities in your SAML deployment are able to access the specified URL.
-
Identity Provider Meta Alias: Enter a URL-friendly value to identify the identity provider, for example,
idp. - Service Provider Meta Alias: Leave blank because we're only creating a hosted IdP.
- Circles of Trust: Select the COT you created, for example, ForgeRockCOT.
- Click Create.
Generate the hosted IdP metadata
You'll use the IdP metadata when you configure SAML SSO in ServiceNow.
To access the IdP metadata, navigate to the metadata URL in your browser, in the following format:
https://<tenant-name>.forgeblocks.com/am/saml2/jsp/exportmetadata.jsp?entityid=[entityID]&realm=/[realmname]
In our example, the [entityID] is ForgeRockIDP
and the [alpha
.
See How do I export and import SAML2 metadata in Identity Cloud? for further information.
Configuring ServiceNow
Disclaimer
ForgeRock assumes no responsibility for errors or omissions in the third-party software or documentation.
To complete the steps below, you must be logged in to ServiceNow as an Administrator.
Install and activate the Multiple Provider Single Sign-On plugins
- In the ServiceNow application navigator, go to All > System Applications > Studio > All Available Applications > All.
- Search for
com.snc.integration.sso.multi
by filtering in the search bar. - Install and activate both the plugins:
- Multiple Provider Single Sign-On Enhanced UI
- Multiple Provider Single Sign-On
Enable SAML SSO
- In the ServiceNow application navigator, go to All > Multi-Provider SSO > Federations > Administration > Properties.
- Select Enable Multiple provider SSO.
- Click Save.
See Configure Multi-Provider SSO properties in the ServiceNow documentation for further information.
Configure the ForgeRock IdP
- Go to All > Multi-Provider SSO > Identity Providers.
- Click New.
- Choose SAML and paste in the URL of the IdP metadata from Identity Cloud, in the format
https://<tenant-name>.forgeblocks.com/am/saml2/jsp/exportmetadata.jsp?entityid=[entityID]&realm=/[realmname]
. In our example, the [entityID] isForgeRockIDP
and the [realmname] isalpha
. - Click Import. Once imported, ServiceNow auto-fills the IdP fields based on your IdP metadata. See SAML 2.0 configuration using Multi-Provider SSO in the ServiceNow documentation for further information.
- Check the details and make the necessary changes to the configuration:
- Default: Select if you want the ForgeRock IdP to be the default.
- Identity Provider's SingleLogoutRequest: Delete the URL if you are not configuring Single Logout (SLO).
- Scroll down to the Encryption and Signing tab and complete the required configuration:
-
Signing/Encryption Key Alias: Enter
saml2sp
(unless you have previously set a different alias name). This field must be populated. - Sign AuthnRequest: Deselect this check box if it is selected.
-
Signing/Encryption Key Alias: Enter
- Click the Advanced tab and complete the required configuration:
-
User Field: Enter
email
. -
Single Sign-on Script: Make sure this is
MultiSSOv2_SAML2_Custom
. - Create AuthnContextClass: Select this check box.
- Protocol Binding for the IDP's SingleLogoutRequest: Delete this if you are not configuring Single Logout (SLO).
- Protocol Binding for the IDP's SingleLogoutResponse: Delete this if you are not configuring Single Logout (SLO).
-
User Field: Enter
- Click Update to save the changes.
- Click Generate Metadata.
- Copy the XML output to an .xml file. You'll need this when you create the remote SP in Identity Cloud.
Creating the remote SP in Identity Cloud
- In the Identity Cloud admin UI, go to Native Consoles > Access Management > Applications > Federation > Entity Providers and click Add Entity Provider followed by Remote.
- Import the .xml file that you exported from ServiceNow, and select the COT you created (for example, ForgeRockCOT).
- Click Create.
- Select the Assertion Processing tab and configure the attribute mapping for your assertion. You need to specify the name of a SAML attribute to send to ServiceNow that maps to the
mail
attribute (this will use the email address from the identity in Identity Cloud).
SAML Attribute | Local Attribute |
---|---|
email
|
mail
|
- Click Add.
The Attribute Map appears similar to this:
- Scroll down and click Save Changes.
Testing the SSO connection
You cannot activate the Identity Cloud IdP until you have a successful test connection. See Testing IdP connections in the ServiceNow documentation for further information.
- Make sure you have logged out of your Identity Cloud tenant before testing the connection.
- In ServiceNow, go to All > Multi-Provider SSO > Identity Providers and select the IdP you configured for Identity Cloud.
- Click Test Connection.
You should be redirected to the Identity Cloud Sign In screen.
- Enter your test user's username and password and click Next.
After successful SSO sign-in, the SSO Login Test Results are displayed, similar to this:
Note that we have not set up SSO logout, so those tests will fail as expected.
- Click Activate to activate the SSO connection for your users.
Next Steps
You can now configure ServiceNow to allow users in your organization to use SSO in an SP-initiated flow.
See Configure users for Multi-Provider SSO in the ServiceNow documentation for further information.
Troubleshooting
If your test SSO connection fails, refer to the following sections of the ServiceNow documentation:
- Common IdP connection errors
- Multi-SSO (SAML 2.0) errors and fixes
- Troubleshoot script issues with SAML
To enable the debug messages to appear at the bottom of the content frame in ServiceNow:
- Go to All > Multi-Provider SSO > Federations > Administration > Properties and select the Enable debug logging for the Multi-Provider SSO integration check box.