ServiceNow - SAML My Page SSO Configuration - RSA Ready Implementation Guide
a year ago
Originally Published: 2023-09-14

This article describes how to integrate ServiceNow with RSA Cloud Authentication Service using My Page SSO.

  

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using My Page SSO.
Procedure

  1. Sign in to RSA Cloud Administration Console. 
  2. Enable My Page SSO by accessing the RSA Cloud Administration Console > Access > My Page > Single Sign-On (SSO)
  3. On the Applications > Application Catalog page, search for ServiceNow and click Add to add the connector.
              
  4. On the Basic Information page, choose Cloud.
  5. Enter a name for the configuration in the Name field and click Next Step.     
  6. On the Connection Profile page, click the IdP-initiated option.
      
  7. Fill in the Service Provider details in the following format:
    1. ACS URL: https://<Service Provider Domain>.service-now.com/navpage.do
    2. Service Provider Entity ID: https:// <Service Provider Domain>.service-now.com
            
  8. In the SAML Response Protection section, choose IdP signs assertion within response.
  9. Select the Override default signing key and certificate and click Generate Cert Bundle.
     
  10. Click Show Advanced Configuration and under the User Identity section, select the Property type and Property value.
      
  11.  Click Next Step.
  12. Choose your desired Access Policy for this application.
  13. On the Portal Display page, select Display in Portal.
     
  14. Click Publish Changes
  15. Click Next Step and click Save and Finish.
  16. Click Publish Changes. Your application is now enabled for SSO.

   

Configure ServiceNow 

Perform these steps to configure ServiceNow.
Procedure
  1. Log in to ServiceNow admin console - https://developer.servicenow.com.
  2. Select Start Building if you are using ServiceNow classic.
    The ServiceNow home page appears. 

The Integration - Multiple Provider single sign-on Enhanced UI plugin needs to be installed and activated for setting up SSO. To confirm that the plugin is installed and activated, perform the following steps:

    1. Select All.
    2. Search for Multi-Provider SSO in the search bar. This option appears in the list if the plugin is properly installed and activated.

If the plugin is not installed and activated, do so by performing the following steps:

    1. In the left pane, search for the System Definition section in the search box, and then select Plugins.
    2. Search for Integration - Multiple Provider single sign-on Enhanced UI, and then Install and activate it.
  2. Navigate to Multi-Provider SSO > Federations > Administration > Properties.
    1. Select Enable multiple provider SSO.
    2. Enter email in the User identification field.
  3. Navigate to Multi-Provider SSO >Federations> x509 Certificate.
    1. Click New, enter a Name, and copy-paste the public certificate generated from RSA in the PEM field.
    2. Click Submit.
  4. Navigate to Multi-Provider SSO > Identity Providers and click New > SAML.
  5. Choose the XML option in the Import Identity Provider dialog box. 
  6. Paste the metadata copied from RSA into the Enter the XML section and click Import.

  7. Enter the following details if not auto-populated.
    1. Enter a name for the Identity Provider.
    2. Select the Default checkbox if desired for your configuration.
    3. In the Identity Provider URL and Identity Provider’s AuthRequest fields, enter the Identity Provider entity ID if not already populated.
    4. In the ServiceNow Homepage field, enter the ACS URL if not already populated - https://<your_instance>.service-now.com/navpage.do
    5. In the Entity ID/Issuer and Audience URI field, enter https://<your_instance>.service-now.com.
    6. In the NameID Policy field, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
    7. In the Advanced section, enter the following if not auto-populated:
      1. User Field - email
      2. NameID Attribute - blank
      3. Protocol Binding for the IDP's AuthnRequest - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
      4. Protocol Binding for the IDP's SingleLogoutRequest - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
      5. Protocol Binding for the IDP's SingleLogoutResponse - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
      6. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport in the AuthnContextClassRef Method field
    8. In the User Provisioning section, select Update User Record Upon Each Login.
  8. Scroll down to the X.509 Certificates section.
  9. Select Edit and select the certificate added previously and save the selection.
  10. Click Update.
  11. Navigate to Multi-Provider SSO > Identity Providers and right-click the Identity Provider name.
  12. Select Copy sys_id.
  13. Navigate to All > User Administration > Users.
  14. Search for your user and select the user.
  15. If a column named source is unavailable, add it using the following steps:
    1. Click the hamburger icon in the upper-left corner of the page and go to Configure > Form Layout.
    2. Add SSO Source to the Selected column.
    3. Click Save.
  16. Edit the user and add sso: followed by sys_id of the identity provider’s record to source attribute.
  17. Click Update to complete the changes made to the user.
  18. Select All > Identity Providers.
  19. Select your identity provider record.
  20. Make sure the browser pop-up is allowed and click Test Connection.
  21. On successful test connection result, select Activate to activate the configuration and select Set Auto Redirect IdP.

 

The configuration is complete.
Return to ServiceNow - RSA Ready Implementation Guide.
Don't see what you're looking for?