Hi,

Looking to allow a federated partner login to SAML into our Service Now instance and create a new account on the fly if the user account doesn't exist already in our service now instance.   (Many cloud apps do this.)   From what I can tell this isn't possible or I just can't find any mention either way.   Sounds like I somehow need them in an LDAP directory or database import well ahead of time just so they can authenticate and match up to an existing account.

Is there any way to leverage scripting/policy/plugin to allow an authenticated user (from a trusted Identity Provider), without an existing account, to be provisioned into Service Now?   Even if all I have at that point is an email address from the NAMEID claim?

Basically, if they come in a from a trusted federated partner, we want them to be able to create service tickets.   Ideally we don't have to integrate with their HR system or their LDAP directory ahead of time just to provision users that may never login.   Ideally we have them make a few extra claims (first/last/phone) in their SAML assertion.

Thanks!

Matt