Integrate WSO2 Identity Server as an External IDP in Servicenow

Servicenow is a cloud based workflow automation platform which can be used to connect people, functions and systems in the enterprise. Servicenow includes some out of the box workflows that can be used to automate everyday service requests. Also this platform can produce sophisticated and highly-customized solutions for complex challenges.

Servicenow is one of the many applications used by enterprises. Maintaining separate set of credentials to access the servicenow solution is tedious task. If the set of identities which is already used within the enterprise can be used to access servicenow solution, then it will make the lives easy for users as well as for administrators. Servicenow supports on-boarding external Identity Providers to manage authentication so that enterprises can use their existing user store for authentication. Also this integration can be used to achieve Single Sign On(SSO) in between the Servicenow and the existing applications in the enterprise.

WSO2 Identity Server (WSO2 IS) is an open source identity and access management solution used by enterprises to manage their identities. This medium will provide a step by step guide on how to setup WSO2 Identity Server as an external identity provider in servicenow platform with SAML protocol. Below versions of each platform will be used in this guide.

WSO2 Identity Server : 5.11

Servicenow : Quebec Release

We will be discussing the integration under below three sub topics

1. Configure the service provider in WSO2 Identity Server
2. Configure the Identity Provider (IDP) in Servicenow
3. Testing the Integration

Prerequisites:

• A Servicenow instance is required to do the integration. If you don’t have a Servicenow instance you can get a Servicenow Personal Developer Instance (PDI) free. Please use this guide to get a Servicenow PDI.

Note: When requesting for a instance, it will request you to choose a release. In that step, choose Tokyo as the release.

• Once the instance is ready a pops up appears with the instance URL and admin credentials. Keep those information securely.

Instance Creation Successful Message

Note: In the rest of this medium instance URL will be referred as <INSTANCE_URL> in the configurations.
Eg: As per above image <INSTANCE_URL> is https://devxxxx.service-now.com

• Download WSO2 Identity Server 5.11 from this link and then start the server.

Configure the service provider in WSO2 Identity Server

1. Login to management console of WSO2 IS.

2. On the Main tab click on Add under Service Providers

3. Provide a suitable name for the service provider and register the service provider.

4. Expand Inbound Authentication Configuration section and then expand SAML2 Web SSO Configuration. Click on Configure button available in that section.

SAML Configuration for Service Provider

5. In the SAML configuration form fill the details as below.

Issuer : <INSTANCE_URL>

Assertion Consumer URLs : <INSTANCE_URL>/navpage.do

Default Assertion Consumer URL : <INSTANCE_URL>/navpage.do

Untick Enable Signature Validation in Authentication Requests and Logout Requests

Tick Enable Single Logout

Tick Enable Attribute Profile

Tick Include Attributes in the Response Always

Sample SAML Application Configuration

6. Click on Register

7. Let’s create a user in identity server to check the integration. On the Main tab click on Add under Users and Roles. Then click on Add New User. Fill the username as testuser and provide a suitable password. Then click on Finish button.

8. Let’s download the SAML metadata file for resident IDP. On the Main tab click on Resident under Identity Providers

9. Go to Inbound Authentication Configuration > SAML2 Web SSO Configuration

10. Click on Download SAML Metadata button which will download the SAML metadata file related to the WSO2 Identity Server. Let’s refer the name of this downloaded metadata file as WSO2_IS_metadata.xml. We will be using this file in the next section.

Download SAML Metadata File for WSO2 IS

Configure the Identity Provider (IDP) in Servicenow

This section focus on configuring the Servicenow instance.

1. Login to Servicenow instance/PDI as an administrator. You’ll be redirected to the Servicenow platform UI.

Servicenow Platform UI

2. Click on the All button located in top left and click on Pin All menu.

Pin Menu option in Platform UI

Pinned Menu in Platform UI

3. Integrating external identity providers with Servicenow is disabled by default. First we need to enable it by installing a plugin. Use this guide to install the plugin.

4. Then we need to allow to use the external IDP to login to the Servicenow instance. From the left navigation pane of Servicenow platform UI navigate to Multi-Provider SSO > Administration > Properties. Select Enable multiple provider SSO option and click on Save.

5. Out of the box this plugin requires the users who are going to authenticate using the IDP to be available in Servicenow for the authentication to be successful. So we need to create the user which we created in Step 07 of Configure the service provider in WSO2 Identity Server section in Servicenow as well.

6. From the left navigation pane of Servicenow platform UI navigate to System Security > Users and Groups > Users. This will list down all the users available in Servicenow at the moment.

7. Click on New button. User creation form will appear. Set the User ID as testuser (This is the user name which we created in Step 07 of Configure the service provider in WSO2 Identity Server section). Then click on Submit button. Now user creation is completed.

8. Now let’s start configuring the IDP. From the left navigation pane of Servicenow platform UI expand Multi-Provider SSO section and then click on Identity Providers. This will list down all the Identity Providers available at the moment. Even if it is a new instance there are some pre-defined Identity providers available.

List of Identity Providers in Servicenow

9. Click on New button which will redirect the browser to select the preferred SSO Protocol. Click on SAML option. This will redirect the browser to a form to add a new Identity Provider. A pop up will also appear to import the IDP metadata.

Create New IDP Form In Servicenow

10. In the popup select XML radio button.

11. Open the metadata xml file (WSO2_IS_metadata.xml) with a text editor (This file was downloaded as the 10th step of Configure the service provider in WSO2 Identity Server section). Copy the content of that file and paste it in the Enter the XML text area. Then click on import button.

12. Now the form gets filled with imported data.

Imported IDP Data

13. Go to the Advanced tab of the above form and set the User Field as user_name

14. You can observe that the Active checkbox is not ticked and also it is disabled. That is because by default Servicenow requires to test the connection before activating the newly created IDP.

For that you have to click on the Test Connection button in top right corner. This will popup a new window and redirect you to the WSO2 Identity Server login page.

WSO2 Identity Server Login Page

Enter the credentials of the user you created in Step 07 of Configure the service provider in WSO2 Identity Server section. Once the correct credentials are entered then the browser will be redirected to a page which contains the test results.

Test Results Page

If the test connection is successful then Activate button will appear in the bottom left of the same page. Click on that button.

Note : If you are in a Incognito or a private window then the Test Connection flow might fail because it uses a popup window.

15. Pop up window will be closed and the window with IDP configuration form will appear. Note that the Active check box in that form is now selected. Click on Update button. This will save the IDP data in Servicenow platform.

16. From the left navigation pane of Servicenow platform UI navigate to Multi-Provider SSO > Identity Providers. Click on the identity provider you created. This will open the form with the details of the IDP created. Click on Additional actions menu in top left corner of the form and then click on Copy sys_id.

This will copy the unique id of the IDP which we created in servicenow. This unique id is required to login to Servicenow with the IDP we created.

Note : This IDP unique id will be referred as <IDP_SYS_ID> in the next section.

Additional actions menu (Highlighted in Red color)

Testing the Integration

1. To login to Servicenow with the configured IDP you have to use below URL. Substitute the <INSTANCE_URL> and <IDP_SYS_ID> parameter values which we got from previous steps and derive the URL.

<INSTANCE_URL>/login_with_sso.do?glide_sso_id=<IDP_SYS_ID>

Eg : https://devxxxx.service-now.com/login_with_sso.do?glide_sso_id=1ca886892f7130106c3bad2ef699b68c

2. Open a new incognito or private window and paste the above derived URL and press enter. This will redirect you to the WSO2 Identity Server login page.

3. Enter the Username and Password which we created earlier and login

4. You will be successfully logged in to the Servicenow platform.

Now we have successfully complete the integration. In summary I have guided you to configure WSO2 Identity Server with Servicenow. This will help the enterprises to integrate their existing WSO2 IDP solution with Servicenow and use the existing user accounts to access Servicenow platform and also to achieve Single Sign On (SSO) with existing applications in the enterprise.