Multiple SSO and Custom URL
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-21-2019 05:40 AM
Hi,
I hope someone else has advice on utilizing Multiple SSO and Custom URL .
We currently have ADFS configured for internal users and we are now working on external users for HR and Vendor risk management. What is the best option to configure and additional URL and SSO to work for external users?
Thanks for the help in advance.
Eric
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-24-2019 05:53 AM
Eric,
Maybe I'm misunderstanding the question, but the biggest issue I tend to see around using SSO with external users is getting those users access to the Identity Provider (IdP) environment...sounds like ADFS in your case. If your current, internal IdP (ADFS) is available network-wise to those external users then there'd be no need to really do any additional config. You'd just need to make sure those users were getting imported in to ServiceNow so they had user records. If the current ADFS isn't available externally, then you need some IdP that is exposed externally so those external users can get to it for authentication. Then you'd add another IdP configuration to ServiceNow and make sure the user records for the external users were had the right attributes to send them to the right IdP.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-29-2019 12:58 AM
The question might be a bit more complex ... 🙂
But it also contains two different topics. Let's try to separte the two:
External access:
Jacob is correct for most parts. There are though certain areas in the platform where external users - unfortunately - are treated differently. I.e. in Vendor Risk they cannot use SSO at this point. This is a gap in the platform that we have different technologies based on the app at the moment.
Distinct URLs
The vanity URL - or custom URL - feature allows to have more than one URL pointing to your instance. So you can have things like helpdesk.<customer>.com and customersupport.<customer>.com. The idea - as far as I understand Eirc - is to redirect based on the URL used. This is possible and documentation can be found here.
For each URL you can define a service portal to redirect people to. However, this is *NOT* linked to the logon process. The portal would still required users to login using the standard Multi-SSO setup or local login for thinks like Vendor Risk.
Hope that helps.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-03-2020 01:58 AM
We use SSO to log into ServiceNow. At the same time, we have configured several custom URLs for various scenarios.
I added the following logic to the "SSO_Helper" script:
- get the current URL on which the user is trying to log in
- looking for a configured IDP for this address
- if found - use it, otherwise run the default script
The code is not the most optimal, but it works without failures for more than a year.
SSO_Helper.getProperties = function (params) {
// NEW Get current user URL
var _ssoHelper = new SSO_Helper(null, false);
var _propertiesGR = _ssoHelper.getProperties();
var _serviceUrl = _ssoHelper.getProperty("glide.authenticate.sso.saml2.service_url","service_url");
_serviceUrl = SNC.SSOUtils.updateSAMLCallbackURL(_serviceUrl);
// NEW Get current user URL
// old code here
if (SSO_Helper.isMultiSSOEnabled() || sso_id) {
// NEW Search Service provider by current URL
SSO_Helper.debug("Discovery service entityID: " + entity_id);
var spGR = new GlideRecord("saml2_update1_properties");
spGR.addActiveQuery();
spGR.addQuery("service_url", _serviceUrl);
spGR.queryNoDomain();
if (spGR.next())
return spGR;
// NEW Search Service provider by current URl
// old code here
} else {
SSO_Helper.debug("Use normal integration properties");
return null;
}
};
