How to Determine the Identity Provider Used for Last Authentication
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2024 08:18 PM
Hello,
I have multiple Identity Providers (2) enabled in my instance. One is set to default, while the other is not; effectively, sequencing the authentication attempt to try the default IdP first, followed by the non-default IdP second if the first was unsuccessful.
With this setup, the `sys_user.sso_source` field is empty for all users and is not needed for setting the appropriate Identity Provider to use for each user. This sequenced approach is preferred over manually managing the `SSO Source` values for each user. This configuration works properly and successfully authenticates users with both IdPs.
The problem I'm facing however, is then determining which IdP record was used to authenticate the user during the last login attempt, if `sso_source` is not used.
I'm building a Script Action on `external.authentication.successful` and am trying to find a way to correlate the Event + User + IdP. But I find myself stuck with the User to IdP relationship without utilizing the `sys_user.sso_source` field and committing us to future manual maintenance of this field.
Are there any other known approaches to identifying the associated IdP for a user?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2024 05:59 PM
Hi @Corey Farmer ,
I am a PM responsible for Authentication and related features. I want to understand your use case better. Are you open to having a Zoom discussion? Based on your use case, I might be able to recommend you have a few options.
Thanks,
Randheer
Thanks,
Randheer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-05-2024 03:34 AM
Hi @Randheer Singh , I have a similar use case Happy to jump on a call.
Problem statement is: Based on IDP used during login I want to control certain access rules. Like in ACL you have security attributes you have one for network attribute . I want to build similar for IDP.
Can help?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2024 10:11 PM
Unfortunately, ServiceNow does not provide a direct way to identify the Identity Provider (IdP) used for a successful login if the sys_user.sso_source field is not used. However, you can create a custom solution to track this information. Here are the steps:
1. Create a new table to store the login history. This table should have fields for the user, login time, and the IdP used.
2. Create a Scripted REST API that will be called from the IdP after a successful login. This API should accept the user's information and the IdP identifier.
3. Configure your IdPs to call this API after a successful login. The exact steps will depend on your IdP, but most should support this functionality.
4. In the API script, insert a new record into the login history table with the provided user and IdP information.
5. In your external.authentication.successful Script Action, query the login history table to find the most recent login for the user. This record will contain the IdP used for the login.
This solution requires some additional configuration and maintenance, but it will allow you to track the IdP used for each login without relying on the sys_user.sso_source field.
nowKB.com
For asking ServiceNow-related questions try this :
For a better and more optimistic result, please visit this website. It uses a Chat Generative Pre-Trained Transformer ( GPT ) technology for solving ServiceNow-related issues.
Link - https://nowgpt.ai/
For the ServiceNow Certified System Administrator exams try this :
https://www.udemy.com/course/servicenow-csa-admin-certification-exam-2023/?couponCode=NOW-DEVELOPER
