SCIM Provisioning from Microsoft Entra ID

Introduction to SCIM and Its Benefits with ServiceNow

ServiceNow SCIM (System for Cross-domain Identity Management) Provisioning brings significant benefits, including automated provisioning and de-provisioning of user accounts, which reduces manual administrative tasks and minimizes the chance of errors. It ensures quick access for new employees and secure deactivation for those departing, bolstering security by maintaining proper access rights. The scalability of SCIM makes it ideal for organizations of any size, supporting efficient identity management without added complexity. Moreover, SCIM’s flexibility across various identity providers promotes interoperability, which is crucial for hybrid and multi-cloud environments.

System for Cross-domain Identity Management (SCIM) is an open standard designed to simplify identity management across various platforms. By standardizing the exchange of user identity information, SCIM enables automated, secure, and scalable user identity management in cloud-based applications like ServiceNow. This standardization ensures the consistency and accuracy of user data, enhancing both operational efficiency and security.

Configuring SCIM Provisioning from Microsoft Entra ID to ServiceNow

Configuring SCIM Provisioning from Microsoft Entra ID to ServiceNow involves several steps. The most notable is that some of the current documentation lacks clarity, making it almost impossible to configure SCIM provisioning correctly. If you take the well documented path using the Microsoft Entra ID ServiceNow gallery application, you will uncover that it uses SOAP API calls to make provisioning calls into ServiceNow. While this works quite well, you do not get the benefits of SCIM by taking this approach.

The following steps will outline the process to configure SCIM provisioning for this scenario.

Install the ServiceNow SCIM Plugin

1. Login to your ServiceNow environment.
2. Open the Application Manager.
3. Search for the "SCIM v2 - ServiceNow Cross-domain Identity Management (com.snc.integration.scim2)" plugin.
   

    

4. Select "Install", then "Install" in the Review Activation Details popup.
   
   

    

5. Wait for the installation to complete before moving on.

You can find these steps in ServiceNow's documentation - Activating the SCIM plugin.

Configure ServiceNow SCIM for Microsoft EntraID using OAuth

1. Goto All -> System OAuth -> Application Registry.
2. Open the "SCIM API" record and use these details when configuring Entra ID.
   
   

    

3. Fill in the "Redirect URL" field with "https://<instancename>.service-now.com/login.do" and update the record.
4. Goto All -> System Web Services -> REST API Access Policies and open the "SCIM API Policy".
   
   

    

5. Confirm that the"SCIM API OAuth Policy" is available under "Inbound Authentication Profiles".
6. Open the "SCIM API OAuth Policy" record and confirm that the OAuth Entity is set to "SCIM API".
   
   

    

When reviewing the SCIM API Application registration in step 2, consider the values for the "Access Token Lifespan" and "Refresh Token Lifespan". The Access Token Lifespan will determine how often you need to update the OAuth credential in Microsoft Entra ID.

There is also a hidden field on the SCIM API Application registry record called "Enforce Token Restriction". Enabling this setting will ensure that the token you are generating is only valid for the SCIM API and cannot be used for other endpoints on the ServiceNow instance.

Setup a User / Service Account to be used for Provisioning

1. Navigate to User Administration.
2. Create a new user account using your standard service account naming convention.
3. Add the "Admin" role to the user account.
4. Ensure you leave the user configured as a standard user who can log in using the Web UI. Come back later and secure this account so that it can only be used as an Integration account.

All activity performed by the SCIM integration will appear to be made by this user.

Configure Microsoft Entra ID

1. Sign in to the Azure Portal.
2. Change to the "Microsoft Entra ID" service.
3. Navigate to "Enterprise Applications" -> All.
4. Create a "New Application" and then select "Create your own application".
   
   

    

5. Name your application as required.
6. Select the option "Integrate any other application you don't find in the gallery (Non-gallery. This step is critical to ensure your provisioning approach is SCIM compliant. Using the ServiceNow Gallery application will result in the provisioning process using SOAP calls to your ServiceNow instance rather than SCIM APIs.
7. And then click "Create".
   
   

    

8. Next, select "3. Provision User Accounts" and then click "Get Started".
   
   

    

9. Set the "Provisioning Mode" to "Automatic".
10. Fill in the "Tenant URL" in the form "https://<instancename>.service-now.com/api/now/scim"     Note the use of the SCIM API url here!
11. Then we need to fill in the "Secret Token".    To Bearer Token / Access Code using the instructions below.
12. Click on "Test Credentials" and if it returns successful, click on Save.
13. Note that there is a time limit that applies to the process of retrieving the Bearer Token and using it to test and save the provisioning configuration.  If it the "Test Credentials" step is unsuccessful, check the popup error message to determine if the credentials are invalid or access is denied.  If either occurs, retrieve a new Bearer Token and reattempt the configuration.

Generate and retrieve the Bearer Token (Secret Token)

1. Goto All -> System Oauth -> Application Registry.
2. Open the "SCIM API" record.
   
   

    

3. Take note of the "Client ID".
4. Update the "Client Secret" to a known value.  I recommend you select a complex 40-character secret; noting that you can only use alphanumeric characters.  Make sure you record the value.
5. Consider your "Access Token Lifespan" & "Refresh Token Lifespan". The Access Token Lifespan in particular will determine how often you need to reenter the Secret Token into Entra ID.
6. Update the record.  
7. Next we need to use the OAuth Token retrieval process to retrieve the Bearer Token.
8. Generate the Authorisation Code
   1. Using an Incognito window, navigate to the URL "https://<instancename>.service-now.com/oauth_auth.do?response_type=code&redirect_uri=https://<instancename>.service-now.com/login.do&client_id=<ClientID>&state=123"
   2. You should be redirected to the URL "https://<instancename>.service-now.com/oauth_login.do".
   3. Login with the credentials of the User Provisioning configured previously.
   4. On the OAuth confirmation page, click "Allow".
      
      

       

   5. Check the URL for the "Authorisation Code" when are you redirected to the Login page.
      
      

       

9. Generate the Bearer Token
   • The "oauth_token.do" page allows us to generate the access / bearer token as long as we have the access code, redirect uri, grant type, client id and client secret.
   • The simplest way to retrieve this is using Curl.
   • From the Command Prompt, issue the following command - curl -d "grant_type=authorization_code&code=<access code>&client_id=<clientid>&client_secret=<clientsecret>&redirect_uri=https://<instance-name>.service-now.com/login.do" https://<instance-name>.service-now.com/oauth_token.do
   • This should produce a response similar to the following which includes the access token
     • {"access_token":"_OmjfKUv1pevKZRZCwtrDzqTSxPgah_DP7ulz8ZZY0Bt_7w-nPwvIhBuFFmJ23wcV9mnm1_37v9FEUqgFA9mkQ","refresh_token":"kCMQS101TU8o6xKB6mUu5Z7V25sFDpOSxcwnhhzhckkfDMihe1uBA255YC9v8jol83kut28zH0MiFLegbkj3Lg","scope":"useraccount","token_type":"Bearer","expires_in":1799}
   • Use the "access_token" component as the Secret Token when configuring the Entra ID Enterprise Application provisioning.

Assign users to the Entra ID application

Assign users or groups to your Entra ID application so the provisioning process can identify what entities should be provisioned.

1. Navigate back to the home page for the Enterprise Application we created above.
2. Goto the Manage -> Users & Groups page.
3. Add the required Users and Groups.
   
   

    

Test the provisioning process

1. Navigate to the Enterprise Application -> Provisioning page.
   
   

    

2. Select "Provision on Demand".
3. Search and select an account to test with, then click Provision.
4. Review the results of the Provision step and confirm that it was successful.
5. Now check the list of Users on your ServiceNow instance, and you should see your test user created.

Finalise your configuration

Before you start automatic provisioning, review your overall configuration. You might consider the following items

1. Review your Entra ID Attribute mappings to ensure they meet your requirements. Microsoft provides this tutorial to assist - Customise user provisioning attribute-mappings for Saas applications in Microsoft Entra ID.
2. Review your ServiceNow SCIM settings to ensure they align correctly. Consider the following items in particular;
   • If you need to customise user and group attribute mappings, check out the "Create a SCIM ETL definition".
   • Need some additional attributes? Refer to "Create a SCIM Extension schema".

These 2 items allow you to perform simple attribute mappings, as well as complex script-based transforms of attributes prior to loading them into ServiceNow.

Turn on Automatic Provisioning

1. Navigate back to the Enterprise Application -> Provisioning
2. Click on "Start provisioning"
   
   

    

Outcomes

Many considerations need to be made before selecting the most appropriate approach to provisioning Users and groups onto the ServiceNow platform.

Hopefully, this post has provided the necessary information to ensure you can set up a SCIM-compliant approach should you choose this path.