The third party tool which will make the Inbound Calls is also in Cloud. Customer doesn't want any user credentials to be stored in 3rd party tool especially in cloud. Anyways, I found one way of doing this is to turn off property "Require basic authorization for incoming SOAP requests" (glide.basicauth.required.soap) and turn on "Require WS-Security header verification for all incoming SOAP requests" (glide.soap.require_ws_security). This will enable the authentication via certificates only. However, this has a side effect that basic authentication won't be used for any of the incoming SOAP Requests.

Not sure if there is a better solution approach to this problem.

Hi Mujtaba,

You have a very interesting topic/challenge here 🙂

I believe that you are on the right track. I am however not sure that removing the check mark from "Require basic authorization for incoming SOAP requests" will disable basic authentication, but I could be mistaken.

If you want users to be able to bypass your WS-Security you can do this by marking them as internal integration users. There is a guide here: Mark service accounts as internal integration users.

However I personally think that it could be challenged if authenticating without a username and password is more secure than having a username and password stored in a 3rd party cloud application. Not saying that this should be the only security measure, but I would claim that it does not make the setup less secure.

Kind regards

Lasse

Hi Mujtaba,

Thank you for bringing up this topic.

We had a similar kind of a requirement where the third party system couldn't include the authentication headers in the inbound SOAP calls.

As you have mentioned, the approach you have taken will make any SOAP inbound calls to work without any authentication and we couldn't take this approach because of this reason.

Have you thought about try defining a static WSDL in ServiceNow and providing them to the third party to consume?

Any inputs are much appreciated.

Thanks in advance,

Surendar M