Just in time JIT provisioning from SAML login?

Go to solution
matt7777
Kilo Contributor

‎03-09-2016 12:39 PM

Hi,

Looking to allow a federated partner login to SAML into our Service Now instance and create a new account on the fly if the user account doesn't exist already in our service now instance.   (Many cloud apps do this.)   From what I can tell this isn't possible or I just can't find any mention either way.   Sounds like I somehow need them in an LDAP directory or database import well ahead of time just so they can authenticate and match up to an existing account.

Is there any way to leverage scripting/policy/plugin to allow an authenticated user (from a trusted Identity Provider), without an existing account, to be provisioned into Service Now?   Even if all I have at that point is an email address from the NAMEID claim?

Basically, if they come in a from a trusted federated partner, we want them to be able to create service tickets.   Ideally we don't have to integrate with their HR system or their LDAP directory ahead of time just to provision users that may never login.   Ideally we have them make a few extra claims (first/last/phone) in their SAML assertion.

Thanks!

Matt

Labels:
0 Helpfuls
  • 3,879 Views
1 ACCEPTED SOLUTION

Go to solution
ChrisRoyer
Kilo Guru

‎03-10-2016 12:51 AM


https://community.servicenow.com/thread/159755 Is more than likely what you are looking for. If you're using Multiprovider SSO there are quite a bit of modifications you have to make.




View solution in original post

6 REPLIES 6

Go to solution
Robert Beeman
Kilo Sage

‎03-09-2016 10:29 PM

I know the LDAP integration supports "On-demand Logins". I'm not sure if that could be used with SAML login though (we don't use it).


LDAP Integration - ServiceNow Wiki



In my personal dev instance, I noticed that there is this option in the Multi-Provider SSO plugin:


find_real_file.png


Preview file
12 KB

Go to solution
matt7777
Kilo Contributor
In response to Robert Beeman

‎03-10-2016 10:51 AM

Interesting - I don't see that option in my dev instance.


0 Helpfuls

Go to solution
ChrisRoyer
Kilo Guru

‎03-10-2016 12:51 AM


https://community.servicenow.com/thread/159755 Is more than likely what you are looking for. If you're using Multiprovider SSO there are quite a bit of modifications you have to make.




Go to solution
matt7777
Kilo Contributor
In response to ChrisRoyer

‎03-10-2016 10:54 AM

That looks like what I was searching for - thanks!


0 Helpfuls