We're reclaiming inactive PDIs to keep them available for active builders. Learn what's changing, who's affected, and how to protect your work. Read More

Using the REST_API with Single Signon and Multifactor Authentication

HugoFirst
Kilo Sage

I have a request to allow REST API access to our ServiceNow instance.
The issue I have is that our users are Single-Signon with Multifactor Authentication.
Has anyone succeeded in profiling an interactive user with this kind of authentication to access the REST API  programmaticaly?  If so, how did you do it?

1 REPLY 1

Vikram Reddy
Tera Guru

Hello @HugoFirst,

 

This comes up on pretty much every SSO+MFA instance eventually, and the short version is: the REST API doesn't authenticate against your identity provider at all. It only checks credentials or tokens against the local sys_user record, so there's no SAML redirect and no MFA challenge to satisfy in a script, that whole flow is a browser thing. So "profiling an interactive SSO/MFA user" for programmatic access isn't really possible in the literal sense, you have to pick a different path depending on whether you need a specific user's identity or not.

If the integration doesn't need to run as a specific person (most don't), the clean approach is a dedicated service account using OAuth 2.0 with the Client Credentials or JWT Bearer grant type. Neither of those touches the login page, so SSO and MFA never get invoked, and if your MFA enforcement is broad you'll still want to explicitly exempt that account so nothing blocks it later. If you genuinely need calls made in the context of a real interactive user (their SSO identity, their ACL context), the only supported path is the Authorization Code grant: the user completes SSO and MFA once in a browser, ServiceNow issues an auth code, your client exchanges it for an access/refresh token, and after that the token carries the session, not the credentials.

Before you build either path, worth checking:

  • OAuth Application Registry: set up an OAuth entry under System OAuth > Application Registry for the grant type you're using.
  • Web service access only: enable this flag on the integration user's sys_user record so it can't be used to log into the UI, Security Center flags accounts that skip this.
  • MFA Exemptions: if you're going the service account route, add it under System Security > Multi-Factor Authentication > MFA Exemptions (by user, role, or condition) so enforcement doesn't catch it.
  • Auth scopes: scope the OAuth token to only the REST endpoints it actually needs rather than full API access.
  • Basic auth: don't bother trying it against an SSO-enforced account, it'll just get rejected since there's no local password to check against for a federated user.

Which one fits depends on whether this is system-to-system or truly needs to act as a person, happy to go deeper if you can share which one you're aiming for.

References

 

Thank you,
Vikram Karety
Octigo Solutions INC