By pass Login page

ravi1_tandon · ‎10-07-2013

OK Team,

I need some help urgently. One of the customer needs a set of users to automatically get authenticated without using SSO.

Basically the requirement is that a set of users get an email and when they click the email id (which is their user id )is used to check if the user is a valid active user and if yes, he is directly taken to service catalog page bypassing the ./logon.do.
I don't know any ways of doing this without using SSO so my question to the team is:

•Is it something possible?
•If yes, can some please guide me how to solve this puzzle and any script to start with will be a definite help.
Hopefully, I will be able to get some response from the community.

ravi1_tandon · ‎10-15-2013

Thanks Guys for the input, I have been able to modify the login script to allow users to login without parsing the password, however it does not completely does the trick but good enough for me to submit it to security for review and testing. I have tested it for SQL injection and also for users who should be allowed to parse the password.

I have modified a business rule to add a password to the set of users automatically if the flag is true. Is there a way for me to encrypt the password the same way we do it for helpthehelpdesk script properties to embed it in the script. I am not sure if context security will work at field level or not and don't want to use it just for this purpose. Is there an OOTB function to encrypt the password field.

I have only tested it in demo and will be submitting it to security for review in our test along with the risk document for them to take further decision.

mvelik · ‎08-04-2016

Hello Ravi,

I have a similar request from my customer. In our case it is completely secure since we work with the on-prem instance installed on the client network behind several firewalls. Would you mind sharing your solution or if not just sharing some ideas on how exactly you implemented it.

In our case, ServiceNow will receive an HTTPPost request containing a user ID. The idea is to validate it against either the internal SN database or the Active Directory, and if found - let user in ServiceNow bypassing the login page.

Much appreciate your help.

Mike

david_legrand · ‎10-15-2013

If I were you, it's not just "security guys", the final decision as to be taken by people who could lose their head in case of problems like a CIO or a CISO. Because the only thing I'll need if i want to enter on your instance is finding the instance name and do a brute-force attempt on logins, it could be done in very few days.

We talked about it "in theory", I think everyone will say "I'll always refuse to do it in the reality with a customer" because the risks are too extreme for a production instance (competitors, black hats...)

I don't know if you're member of a customer team or if you're in a integrator company, but in all case, that is our "duty to advise" to say "Mr. customer, that is the worst idea you could have because ...".

Regards,

ravi1_tandon · ‎10-15-2013

I agree to your point David and that the whole point that I am trying put in front of the customer and documenting the amount of risk that is involve in this integration.

Unfortunately, my limitation is only to provide recommendation/solution and the risk involved so that is what I am trying to articulate by way of ensure that people understand the risk.......Rest it is up to the customer

ms_akila · ‎01-12-2017

Hi Ravi,

Even am having similiar kind of requirement. It would be very useful if you are sharing the code.

Thanks,

Akila R