Can't get the "Manager" field populated from Azure AD user provisioning or SSO
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-25-2018 07:59 PM
Hi All,
Azure is becoming more popular as a Single Sign-On tool (via SAML) so it makes sense to provision users into ServiceNow directly from Azure also. I am currently at a loss to see how to populate the Manager Field on the user table from the Manager attribute in AD. The old LDAP method used a daily connection invoked by ServiceNow, and offers transform map functionality, so the manager's AD name can be converted to a sys_id in ServiceNow (done through a transform script). The Azure method is to do a real time push of users changes directly to the User table, with limited transform capabilities. For text fields it's fine (like first name) but the Manager attribute cannot directly be injected into the manager field. I have even tried mapping (in Azure config) the Manager attribute to a custom text field, to see what data we get, but it just ends up blank.
When we hit this road block, we thought we could add a Manager "claim" to the SAML configuration, which is a way of passing information about the user to ServiceNow, as they login, in real time. The Microsoft Partner we are working with has said that the Manager attribute is not able to be passed as a Claim (unlike the more simple fields).
So we are unable to populate the manager field using Azure, which is essential for many of our approval requirements. Typically I would just do an LDAP integration instead however there are many AD domains feeding into Azure, and each would need an LDAP integration.
Has anyone else experienced this issue, as there is very little information coming back from my Google searches?
Howard Elton
- Labels:
-
Integrations
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2018 05:15 PM
I do have the same issue currently.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-06-2018 05:28 PM
You need to add the onStart, onBefore and onAfter scripts to the IdP Transform Map. That solved our issue 5 minutes ago.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-23-2024 08:23 AM
Can you please share the Transform Maps?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-01-2023 08:33 AM
Hi there
I found this while looking for answers to the same question. I know it has been a while on this discussion but I thought I would share what we have done today. We got the manager attribute to update into ServiceNow as follows:
1. Initial Azure sync does not include the Manager attribute. This is because if the manager is not already provisioned this user provision will give an error. So we wouldn't want lots of initial provisions to fail.
2. Once the initial sync has run, we should have all/most of the managers provisioned. So now we can add the Manager attribute to the syncing.
3. Updates with the manager attribute included will check if the manager has been provisioned( has a provision id). If so then the manager field is set and included in the provision and updates service now. IF not, then an error is reported in Azure saying the manager needs to be provisioned first.
4. So initial provisions might fail but will eventually work once the manger has been provisioned.
5. There is no action required in ServiceNow to configure this. It is all in Azure.
I hope that helps folks.
