This article describes how to integrate RSA with ServiceNow using SAML Relying Party.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service as Relying Party to ServiceNow.
Procedure

1. Sign in to RSA Cloud Administration Console. 

2. Click Authentication Clients > Relying Parties.

                                                                                                                                

3. On the Relying Party Catalog page, click Add a Relying Party and click Add for Service Provider SAML.

                                   

4. On the Basic Information page, enter the name for the application in the Name field and click Next Step.                                                
5. On the Authentication page, choose SecurID manages all authentication.
6. In the Primary Authentication Method list, select your desired login method.
7. In the Access Policy list, select a policy that was previously configured.
    
8. Click Next Step.
9. Choose Enter Manually. 
    
10. Scroll down to the Service Provider Metadata section. 
    
    
    1. Assertion Consumer Service (ACS) – https://<Service provider domain>.service-now.com/navpage.do.
    2. Audience (Service Provider Issuer ID) – https://< Service provider domain >.service-now.com.
11. Choose Default Service Provide Entity ID.
    
12. Click Download Certificate and choose IdP signs assertion within response.
    
13. Click Show Advanced Configuration.
14. In the NameID section, use the Identifier Type list to select Email Address and the Property list to select AutoDetect.
15. Click Save and Finish.
16. On the My Relying Parties page, click the Edit drop-down icon and select View or Download IdP Metadata.
17. Click Publish Changes. 

                                                                                                               

Configure ServiceNow 

Perform these steps to configure ServiceNow.
Procedure

1. Log in to ServiceNow admin console - https://developer.servicenow.com.
2. Select Start Building if you are using ServiceNow classic.
   The ServiceNow home page appears. 
   

The Integration - Multiple Provider single sign-on Enhanced UI plugin needs to be installed and activated for setting up SSO. To confirm that the plugin is installed and activated, perform the following steps:

1. 1. Select All.
   2. Search for Multi-Provider SSO in the search bar. This option appears in the list if the plugin is properly installed and activated.
      

If the plugin is not installed and activated, do so by performing the following steps:

2. 1. In the left pane, search for the System Definition section in the search box, and then select Plugins.
      
   2. Search for Integration - Multiple Provider single sign-on Enhanced UI, and then Install and activate it.
      
3. Navigate to Multi-Provider SSO > Federations > Administration > Properties.
   1. Select Enable multiple provider SSO.
   2. Enter email in the User identification field.
      
4. Navigate to Multi-Provider SSO >Federations> x509 Certificate.
   1. Click New, enter a Name, and copy-paste the public certificate generated from RSA in the PEM field.
   2. Click Submit.
5. Navigate to Multi-Provider SSO > Identity Providers and click New > SAML.
6. Choose the XML option in the Import Identity Provider dialog box. 
7. Paste the metadata copied from RSA into the Enter the XML section and click Import.
   
   
8. Enter the following details if not auto-populated.
   1. Enter a name for the Identity Provider.
   2. Select the Default checkbox if desired for your configuration.
   3. In the Identity Provider URL and Identity Provider’s AuthRequest fields, enter the Identity Provider entity ID if not already populated.
   4. In the ServiceNow Homepage field, enter the ACS URL if not already populated - https://<your_instance>.service-now.com/navpage.do
   5. In the Entity ID/Issuer and Audience URI field, enter https://<your_instance>.service-now.com.
   6. In the NameID Policy field, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
   7. In the Advanced section, enter the following if not auto-populated:
      1. User Field - email
      2. NameID Attribute - blank
      3. Protocol Binding for the IDP's AuthnRequest - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
      4. Protocol Binding for the IDP's SingleLogoutRequest - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
      5. Protocol Binding for the IDP's SingleLogoutResponse - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
      6. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport in the AuthnContextClassRef Method field
         
   8. In the User Provisioning section, select Update User Record Upon Each Login.
9. Scroll down to the X.509 Certificates section.
10. Select Edit and select the certificate added previously and save the selection.
11. Click Update.
    
12. Navigate to Multi-Provider SSO > Identity Providers and right-click the Identity Provider name.
13. Select Copy sys_id.
    
14. Navigate to All > User Administration > Users.
15. Search for your user and select the user.
16. If a column named source is unavailable, add it using the following steps:
    1. Click the hamburger icon in the upper-left corner of the page and go to Configure > Form Layout.
       
    2. Add SSO Source to the Selected column.
       
    3. Click Save.
17. Edit the user and add sso: followed by sys_id of the identity provider’s record to source attribute.
    
18. Click Update to complete the changes made to the user.
19. Select All > Identity Providers.
20. Select your identity provider record.
21. Make sure the browser pop-up is allowed and click Test Connection.
22. On successful test connection result, select Activate to activate the configuration and select Set Auto Redirect IdP.

 

The configuration is complete.
Return to ServiceNow - RSA Ready Implementation Guide.