ServiceNow SSO integration with Identity Cloud as SAML identity provider

Overview

This article describes how to enable your users to sign in to ServiceNow with Identity Cloud using SAML2 SSO in an SP-initiated flow. It assumes Identity Cloud is acting as the SAML IdP and ServiceNow as the SP. Once configured, ServiceNow end users will be presented with the ForgeRock Sign In screen to authenticate before being redirected back to ServiceNow. 

The steps in this article assume that you have already set up a matching test user in Identity Cloud and ServiceNow or that you are using ForgeRock's ServiceNow connector for user provisioning. If you require auto-provisioning, you can find the details in the ServiceNow documentation. 

Steps involved:

1. Create a Circle of Trust (COT)
2. Create the hosted IdP in Identity Cloud
3. Configure ServiceNow 
4. Create the remote SP in Identity Cloud
5. Test the SSO connection
6. Troubleshooting

Prerequisites

• You have a working Identity Cloud tenant.
• You have a ServiceNow administrator account.
• You have configured an account recovery user on your ServiceNow instance. Account recovery is required when SSO is enabled.
• You have set up a test user in Identity Cloud and ServiceNow or you are using ForgeRock's ServiceNow connector for provisioning users. See ServiceNow connector for further information.

Creating a Circle of Trust (COT)

1. In the Identity Cloud admin UI, go to Native Consoles > Access Management > Applications > Federation > Circles of Trust and click Add Circle of Trust.
2. Enter a name (no spaces) for your new COT, for example, ForgeRockCOT, and click Create.
3. Add a description for the COT and click Save Changes.

Creating the hosted IdP in Identity Cloud

Create a hosted IdP

1. In the Identity Cloud admin UI, go to Native Consoles > Access Management > Applications > Federation > Entity Providers and click Add Entity Provider followed by Hosted.
2. Complete the following configuration:
   • Entity ID: Enter an ID (no special characters or spaces) for your hosted service provider, for example, ForgeRockIDP.
   • Entity Provider Base URL: Verify the default URL is correct. This URL is used for all SAML2 related endpoints, so ensure other entities in your SAML deployment are able to access the specified URL.
   • Identity Provider Meta Alias: Enter a URL-friendly value to identify the identity provider, for example,idp.
   • Service Provider Meta Alias: Leave blank because we're only creating a hosted IdP.
   • Circles of Trust: Select the COT you created, for example, ForgeRockCOT.

3. Click Create.

Generate the hosted IdP metadata

You'll use the IdP metadata when you configure SAML SSO in ServiceNow.

To access the IdP metadata, navigate to the metadata URL in your browser, in the following format:

https://<tenant-name>.forgeblocks.com/am/saml2/jsp/exportmetadata.jsp?entityid=[entityID]&realm=/[realmname]

In our example, the [entityID] is ForgeRockIDP and the [realmname] is alpha.

See How do I export and import SAML2 metadata in Identity Cloud? for further information.

Configuring ServiceNow

To complete the steps below, you must be logged in to ServiceNow as an Administrator.

Install and activate the Multiple Provider Single Sign-On plugins

1. In the ServiceNow application navigator, go to All > System Applications > Studio > All Available Applications > All.
2. Search for com.snc.integration.sso.multi by filtering in the search bar.
3. Install and activate both the plugins:
   • Multiple Provider Single Sign-On Enhanced UI
   • Multiple Provider Single Sign-On

Enable SAML SSO

1. In the ServiceNow application navigator, go to All > Multi-Provider SSO > Federations > Administration > Properties.
2. Select Enable Multiple provider SSO.
3. Click Save.

See Configure Multi-Provider SSO properties in the ServiceNow documentation for further information.

Configure the ForgeRock IdP

1. Go to All > Multi-Provider SSO > Identity Providers.
2. Click New.
3. Choose SAML and paste in the URL of the IdP metadata from Identity Cloud, in the format https://<tenant-name>.forgeblocks.com/am/saml2/jsp/exportmetadata.jsp?entityid=[entityID]&realm=/[realmname]. In our example, the [entityID] is ForgeRockIDP and the [realmname] is alpha.
4. Click Import. Once imported, ServiceNow auto-fills the IdP fields based on your IdP metadata. See SAML 2.0 configuration using Multi-Provider SSO in the ServiceNow documentation for further information.
5. Check the details and make the necessary changes to the configuration:
   • Default: Select if you want the ForgeRock IdP to be the default.
   • Identity Provider's SingleLogoutRequest: Delete the URL if you are not configuring Single Logout (SLO).
6. Scroll down to the Encryption and Signing tab and complete the required configuration:
   • Signing/Encryption Key Alias: Enter saml2sp (unless you have previously set a different alias name). This field must be populated.
   • Sign AuthnRequest: Deselect this check box if it is selected.
7. Click the Advanced tab and complete the required configuration:
   • User Field: Enter email.
   • Single Sign-on Script: Make sure this is MultiSSOv2_SAML2_Custom.
   • Create AuthnContextClass: Select this check box.
   • Protocol Binding for the IDP's SingleLogoutRequest: Delete this if you are not configuring Single Logout (SLO).
   • Protocol Binding for the IDP's SingleLogoutResponse: Delete this if you are not configuring Single Logout (SLO).
8. Click Update to save the changes.
9. Click Generate Metadata.
10. Copy the XML output to an .xml file. You'll need this when you create the remote SP in Identity Cloud.

Creating the remote SP in Identity Cloud

1. In the Identity Cloud admin UI, go to Native Consoles > Access Management > Applications > Federation > Entity Providers and click Add Entity Provider followed by Remote.
2. Import the .xml file that you exported from ServiceNow, and select the COT you created (for example, ForgeRockCOT).

3. Click Create.
4. Select the Assertion Processing tab and configure the attribute mapping for your assertion. You need to specify the name of a SAML attribute to send to ServiceNow that maps to the mail attribute (this will use the email address from the identity in Identity Cloud).

5. Click Add.

The Attribute Map appears similar to this:

6. Scroll down and click Save Changes.

Testing the SSO connection

You cannot activate the Identity Cloud IdP until you have a successful test connection. See Testing IdP connections in the ServiceNow documentation for further information.

1. Make sure you have logged out of your Identity Cloud tenant before testing the connection.
2. In ServiceNow, go to All > Multi-Provider SSO > Identity Providers and select the IdP you configured for Identity Cloud.
3. Click Test Connection. 

You should be redirected to the Identity Cloud Sign In screen. 

4. Enter your test user's username and password and click Next.

After successful SSO sign-in, the SSO Login Test Results are displayed, similar to this:

Note that we have not set up SSO logout, so those tests will fail as expected.

5. Click Activate to activate the SSO connection for your users.

Next Steps

You can now configure ServiceNow to allow users in your organization to use SSO in an SP-initiated flow. 

See Configure users for Multi-Provider SSO in the ServiceNow documentation for further information.

Troubleshooting

If your test SSO connection fails, refer to the following sections of the ServiceNow documentation:

• Common IdP connection errors
• Multi-SSO (SAML 2.0) errors and fixes
• Troubleshoot script issues with SAML

To enable the debug messages to appear at the bottom of the content frame in ServiceNow:

• Go to All > Multi-Provider SSO > Federations > Administration > Properties and select the Enable debug logging for the Multi-Provider SSO integration check box.

See Also

SAML2 Federation in Identity Cloud

Configuring IDPs, SPs, and CoTs