Can ServiceNow use Windows Authentication for user login/authentication?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-18-2015 04:28 AM
Can ServiceNow use Windows Authentication for user login/authentication?
- Labels:
-
Instance Configuration
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-18-2015 04:49 AM
Hi Emma,
Yes. Under some circumstances.
If a user has authenticated via Windows Authentication and accessed the Enterprise vpn then no further authentication is required in the scenario described here:
Configuring ADFS 2.0 to Communicate with SAML 2.0 - ServiceNow Wiki
9 Workaround: Supporting Kerberos Authentication
Currently, the SAML 2 integration uses a PasswordProtectedTransport or "forms-based authentication" authentication context. This authentication context requires the IdP to present users with a form for authentication credentials. With Kerberos, a SAML session is already active through an established Windows login, so the user does not need to authenticate with the IdP.
The following example applies a workaround to the SAML 2.0 integration that changes the authentication context from "forms-based authentication" to "Windows-based authentication."
- Navigate to SAML 2 Single Sign-on > Properties.
- Search for the following Properties:
Property:Create an AuthnContextClass request in the AuthnRequest statement. - Set this to "Yes" to force which one you want
If you Set this to "No" the IdP will decide which is the best.
Property:The AuthnContextClassRef method that we will be included in our SAML 2.0 AuthnRequest to the Identity Provider:
Set this to one of the following values:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport(Default)
urn:federation:authentication:windows - Click Update.
Best Regards
Tony
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎04-14-2022 05:22 AM
For those trying to find this area, i was able to find it in Quebec at:
- Multi-Provider SSO (if you have the plugin installed)
- Identity Providers
- then pick the authentication method that is in use,
- then on the advanced tab, left column, AuthnContextClassRef Method adjust the out of the box value of:
- urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
to: - urn:federation:authentication:windows
- then click on Test Connection
- once the system validates it can authenticate via this method it will allow you to click activate
- then save/update.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-28-2018 09:16 PM
Hi Ebail, Where you able to achieve this? I am looking to achieve something similar.
Regards,
Maddy
