Active Directory User ID

Bill Bonnett · ‎07-09-2018

How can I grab the active directory user ID to create their account in SN the first time they visit WITHOUT having to type it in first? As it is now, when someone goes to an instance for the first time, they must provide their AD user ID and then SN creates their account and let's them in. I want to grab their user ID BEFORE they are presented with the login page. Here's what happens today to a new (no-account) visitor:

They have to click the "Use external login" and then they have to provide a user ID:

Then Single-sign on kicks in and creates their SN account from the AD information. I want this to happen without the user having to do this other than copying the AD GAL and creating the accounts manually. In other words, I do I get BonnettWT without someone typing it first? In web pages I can use the following:

To get the current userid name of an asp.net aspx page use
      System.Security.Principal.WindowsIdentity.GetCurrent().Name
To get the actual person who's logged in use any of these:
      HttpContext.Current.User.Identity.Name
      Page.User (wraps HttpContext.Current.User.Identity.Name)
      Request.ServerVariables("logon_user")

But how do i do this within the SSO process within SN's instance?

Warren Pilkingt · ‎07-20-2018

As a thought, have you considered using LDAP integration instead for the account creation? This would then create and populate the users on a scheduled basis without the account being needed to be added on sign-on. The bundled importing scripts also allows you to disable accounts in SN where the Active Directory Disable Account flags are checked as well, meaning increased security. More info here:

https://docs.servicenow.com/bundle/kingston-platform-administration/page/integrate/ldap/concept/c_LDAPIntegration.html

More than likely you probably will need to ensure that in your transform map, you will have the attribute SAMAccountName mapped to the user ID field (if you're using the Username that way)

brian_degroot · ‎07-20-2018

Hi Bill,

Warren has the correct answer, but just wanted to add a note.

You'll want to make sure the LDAP Listener is running. This should create their user account in SN almost immediately after being added to AD. Otherwise, you'd need to wait for the next scheduled import to run. This may leave users without an account for up to 24 hours if you will no longer allow for auto-provisioning on the initial login.

Best regards,

Brian

Bill Bonnett · ‎07-26-2018

Thanks for replying. I've been out, so my apologies for this tardy reply. Today, as it is, ADFS works fine, even to create the user account in SN, but the user must supply their AD ID first. I'm trying to figure out a way to get that before/during/after they click a link to my instance. I don't want them to have to put in any data. That's my hope.

Warren Pilkingt · ‎07-27-2018

That's exactly why configuring LDAP with AD is the way to go - you then have your user accounts created and ready to go so that provided your ADFS is handling the single sign on correctly, SN sees the account there and logs in, all good to go, and no having to wait for the user to enter their ID.

In effect most of the LDAP setup is covered by the article I linked to, but feel free to ask anything along the way. It was much better for me once I got that set up as it meant that we didn't have to do any account adding whatsoever and it mirrored our AD accounts in terms of account security.

Note that you're not using LDAP for authentication at all (you will still use ADFS) this is just for account provisioning only.