Integrate Asgardeo as an External IDP in Servicenow
In a previous medium a detailed guide was provided on how to integrate WSO2 Identity Server as an external IDP in Servicenow. If you need to have a look at it you can use the link below to access that medium.
Note : I’ll be referring the reusable sections from the above medium post for this integration.
Asgardeo is the identity as a service(IDaaS) provided by WSO2. This medium provides a step by step guide on how to integrate Asgardeo as an External IDP in Servicenow.
Before starting the integration you need to obtain a servicenow instance. The Prerequisites section of the Integrate WSO2 Identity Server as an External IDP in Servicenow medium contains a guide on how to retrieve a servicenow instance. The retrieved instance URL will be referred to as <INSTANCE_URL> in the rest of the medium.
Next, you have to sign up in Asgardeo if you don’t have an Asgardeo account yet. During sign up process you have to select a name for your organization in asgardeo. The organization name will be referred to as <ASGARDEO_ORG> in the rest of the medium.
As we have created an Asgardeo account and a servicenow instance, let’s start the integration. This integration will be discussed under following topics.
- Configure the Application in Asgardeo
- Configure the Identity Provider(IDP) in Servicenow
- Testing the integration
Configure the Application in Asgardeo
- Login to Asgardeo console
- Go to Develop > Applications
- Click on New Application which will open up the following screen
4. Click on Traditional Web Application and fill the following form.
Name : Suitable Name for the Application
Protocol : SAML
Issuer : <INSTANCE_URL>
Assertion consumer service URLs : <INSTANCE_URL>/navpage.do
5. Click Register. This will redirect the browser to the application details page.
6. Click on User Attributes tab in the above window. Click on Add User Attribute button in that tab. This will popup the list of user attributes available. Search for Email in the search bar and tick the Email attribute and click on Save
7. In the above page under Subject section set the Subject Attribute to Email and click on Update. This completes the setting up Application in Asgardeo.
8. For creating IDP in servicenow, the SAML meta data file for the above created application will be helpful. Therefore follow the steps below to download the SAML metadata file.
9. Go to Develop > Applications
10. From the available list of applications click on the application which was created previously. In the opened window, select info tab.
11. Click on Download IDP Metadata button which will download the IDP metadata file in to your local computer. This file will be used in the next section while creating identity provider in servicenow.
12. For testing the integration a user account has to be created in Asgardeo. For that go to Manage > Users
13. Click on Add User and fill the following form
Email : Username of the user
First Name (Optional) : First name of the user
Last Name (Optional) : Last name of the user
Select Set a temporary password for the user option.
Password : Enter an appropriate password for the user
14. Click on Next will provide you a screen to assign groups to the new user. Click on Next without assigning any groups to the user. Then click on Close which will create the user in the system.
Configure the Identity Provider(IDP) in Servicenow
- Login to Servicenow instance/PDI as an administrator. Your browser will be redirected to the Servicenow platform UI.
2. Click on the All button located in top left and click on Pin All menu.
3. Integrating external identity providers with Servicenow is disabled by default. It has to be enabled by installing a plugin. Use this guide to install the plugin.
4. Then Account recovery properties has to be enabled. From the left navigation pane of Servicenow platform UI navigate to Multi-Provider SSO > Account Recovery > Properties. Enable account recovery option and then do the Step 2 of that screen to setup account recovery for the admin account you have logged in.
5. Clicking on the link in Step 2 will show a popup with setting up Multi-Factor Authentication (MFA) for admin account. Following the steps available in popup will enable the Enable Account Recovery button in the popup. Click on that button. Then click on Save button in Account Recovery Properties page.
6. Then we need to allow to use the external IDP to login to the Servicenow instance. From the left navigation pane of Servicenow platform UI navigate to Multi-Provider SSO > Administration > Properties. Select Enable multiple provider SSO option and click on Save.
7. Out of the box this plugin requires the users who are going to authenticate using the IDP to be available in Servicenow for the authentication flow to be successful. So we need to create the user which we created in Step 13 of Configure the Application in Asgardeo section in Servicenow as well.
8. From the left navigation pane of Servicenow platform UI navigate to System Security > Users and Groups > Users. This will list down all the users available in Servicenow at the moment.
9. Click on New button. User creation form will appear. Set the User ID as Email address of the user created in Step 13 of Configure the Application in Asgardeo section. Then click on Submit button. Now user creation in servicenow is completed.
10. Now let’s start configuring the IDP. From the left navigation pane of Servicenow platform UI expand Multi-Provider SSO section and then click on Identity Providers. This will list down all the Identity Providers available at the moment. Even if it is a new instance there are some pre-defined Identity providers available.
11. Click on New button which will redirect the browser to select the preferred SSO Protocol. Click on SAML option. This will redirect the browser to a form to add a new Identity Provider. A pop up will also appear to import the IDP metadata.
12. In the popup select XML radio button.
13. Open the metadata xml file (SAML-Metadata.xml) with a text editor (This file was downloaded as the step 11 of Configure the service provider in Asgardeo section). Copy the content of that file and paste it in the Enter the XML text area. Then click on Import button.
14. Observe that the form gets filled with the imported data.
15. Go to the Advanced tab of the above form and set the User Field as user_name
16. You can observe that the Active checkbox in the IDP creation form is not ticked and it is disabled. That is because by default Servicenow requires to test the connection before activating the newly created IDP.
Click on the Test Connection button in the form. This will popup a new window and redirect you to the Asgardeo login page.
Enter the credentials of the user you created in Step 13 of Configure the service provider in Asgardeo section. Once the correct credentials are entered then the browser will be redirected to a page which contains the test results.
If the test connection is successful then Activate button will appear in the bottom left of the same page. Click on that button.
Note : If you are in a Incognito or a private window then the Test Connection flow might fail because it uses a popup window.
17. Pop up window will be closed and the window with IDP configuration form will appear. Note that the Active check box in that form is now selected. Click on Update button. This will save the IDP data in Servicenow platform.
18. From the left navigation pane of Servicenow platform UI navigate to Multi-Provider SSO > Identity Providers. Click on the identity provider you created. This will open the form with the details of the IDP created. Click on Additional actions menu in top left corner of the form and then click on Copy sys_id.
This will copy the unique id of the IDP which we created in servicenow. This unique id is required to login to Servicenow with the IDP we created.
Note : This IDP unique id will be referred as <IDP_SYS_ID> in the next section.
Testing the Integration
- To login to Servicenow with the configured IDP you have to use below URL. Substitute the <INSTANCE_URL> and <IDP_SYS_ID> parameter values which we got from previous steps and derive the URL.
<INSTANCE_URL>/login_with_sso.do?glide_sso_id=<IDP_SYS_ID>
Eg : https://devxxxx.service-now.com/login_with_sso.do?glide_sso_id=1ca886892f7130106c3bad2ef699b68c
2. Open a new incognito or private window and paste the above derived URL and press enter. This will redirect you to the Asgardeo login page.
3. Enter the Username and Password which we created earlier and login
4. You will be successfully logged in to the Servicenow platform.
Now we have successfully complete the integration. In summary, this medium provides a step by step guide on how to configure Asgardeo as an identity provider in Servicenow . This will help the enterprises to integrate their existing Asgardeo solution with Servicenow and use the existing user accounts to access Servicenow platform and also to achieve Single Sign On (SSO) with existing applications in the enterprise.
