Just-in-Time Provisioning SAML

emerkle
Kilo Contributor

‎09-28-2012 06:51 AM

quick question is anyone doing any type of Just-in-Time Provisioning SAML to servicenow? We are looking to let some groups of end users into our system that aren't in the same domain. they have a IDP so we want to use our SP to provision service now users on the fly without adding them into our domain. Any ideas on this topic?

Labels:
0 Helpfuls
  • 1,780 Views
5 REPLIES 5

john_andersen
Tera Guru

‎09-28-2012 11:05 AM

ServiceNow does not support user provisioning with SAML 2.0 single sign-on. If you were to approach this, it would be a direct customization of the SAML 2.0 plugin, which I wouldn't recommend for maintainability.

Help me understand your situation though. Is the problem that your SAML IdP may reference more than one domain? If this is the case, you can import users in the ServiceNow instance from multiple LDAP sources, not just one source.


0 Helpfuls

emerkle
Kilo Contributor
In response to john_andersen

‎09-28-2012 11:24 AM

We have a need to support some other entities for our company. We are currently using Ping Federate for internal SSO from our Internal domain with the LDAP sync. Our entities are using one common portal is drupel CMS which we would like to use there identity to given them access to our service now self service. I'm just trying to workout the best direction on handling the accounts and SSO for this entities without causing them to login and have additional creds to get into the service now system for support.

any help would appreciated


0 Helpfuls

john_andersen
Tera Guru
In response to emerkle

‎09-28-2012 12:12 PM

So, are you saying Ping Federate (the IdP) doesn't have access to all of the potential users? In that case you have a bigger challenge. With SAML 2.0, ServiceNow will only talk to one IdP, that IdP needs to have access to all of the user stores required to perform an authentication.

If you are accessing ServiceNow through a Portal, then another option is to use Digest Authentication SSO rather than SAML 2.0 SSO. With digest authentication it would be the portal that is sending the token to ServiceNow rather than an internal IdP. Since the portal has user information for all users, then this should work.


0 Helpfuls

emerkle
Kilo Contributor

‎10-01-2012 12:07 PM

John, I'm guessing we'll need to go another route to support these groups. Do you know if Public pages and a wizard to submit a incident will work if you have SSO turned on for internal users? We could just make a few public pages for this group to post in there sites to request help from us. any help would be appreciated in pointing us in the right direction.

Thanks


0 Helpfuls