Configure User Autoprovisioning in OIDC Single Sign On (SSO) in servicenow

Ambuj Tripathi
ServiceNow Employee
ServiceNow Employee

‎01-03-2024 12:28 PM - edited ‎01-03-2024 12:29 PM

This article will walk you through how we can configure User Auto-provisioning in OIDC SSO. These same steps can be followed for configuring user auto-provisioning for any OIDC identity providers like Okta, Azure etc.

 

1: Configure the OIDC SSO Record and make sure the login is working successfully with any existing user. User provisioning is not yet enabled.

 

Screenshot 2024-01-04 at 1.14.09 AM.png

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

2: Configure Auto provisioning by creating (or selecting the existing) data source corresponding to the provision method selected (ID Token/Userinfo/Both). In this example, I am using ID Token Data source.

 

Screenshot 2024-01-04 at 1.16.21 AM.png

 

3: If you are creating the new data source and with a new table, this table will not have any columns and you dont have to add any columns in it either. This table will be auto created after first login attempt. If you are using the existing table, you can go ahead and create the transform map using the existing columns. Make sure the columns you map are correct columns which are present in the ID Token/Userinfo response.

 

Screenshot 2024-01-04 at 1.24.47 AM.png

 

Here, since I have created a new table, this doesn't exist yet.

Screenshot 2024-01-04 at 1.17.00 AM.png

 

4: Login with any external user which is not present in the servicenow. This login attempt will fail with the below errors.

Transform map record not provided, transform stopped

- TransformMapId is null, Skip adding transform entry.: no thrown error

Now, the above table demo_user_table1 will be automatically created with the required columns.

Screenshot 2024-01-04 at 1.18.58 AM.png

 

5: Now the transform map will have the option to map the fields from the source table (demo_user_table1) to the target table (sys_user) in this case. Map the fields that are required to be mapped in the transform map.

Screenshot 2024-01-04 at 1.20.35 AM.png

 

The data corresponding to the each column in both source and target tables can be seen in the data viewer section. This can be helpful to avoid incorrect mapping of columns from both the tables.

 

6: Save the Tranform map record after the mapping is done and login with the user.

Screenshot 2024-01-04 at 1.21.15 AM.png

 

Now the login should be successful with the external user which is not present in the servicenow and that user should also be created in the target table (sys_user).

 

Also the data source table (demo_user_table1) should contain a new entry for the above transformed record which got created after user login.

 

Screenshot 2024-01-04 at 1.56.12 AM.png

 

Thank you.

  • 3,202 Views
Comments
Colin15
Tera Contributor
‎04-20-2024 12:38 AM

Interesting steps to take, I have a similar case I am looking at. I want to use Azure AD SSO. I have a couple of questions on this.

 

1. On Azure AD we can also use auto provisioning, is that not the preferred solution?

2. At our client we use firstname.surname for the uid. Is this still good practise with SSO or should we have uid = email address which I have used on other applications

3. If we want to map the user.principleName from Azure as part of the uid and transform to get the firstname.surname before the "@" where should we perform this? As a mapping on Azure or a transform map on ServiceNow?

 

Looking forward to your input on this!

0 Helpfuls
Version history
Last update:
‎01-03-2024 12:29 PM
Updated by:
ServiceNow Employee
Contributors