Logon when ADFS SSO is down
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2015 12:51 PM
When ADFS SSO is down, I believe that logging into the public internet will no longer work either as the log-in page for the public internet is present by ADFS and authenticated by ADFS. So, what is necessary to provide a work around if ADFS goes down completely? I think one answer would be to allow local log-on for admins and perhaps ITIL users. It looks as though this would require maintaining a local database for those users. Am I correct about this approach? Has anyone come up with a better way to handle this? Perhaps having the service desk use email tickets in order to reduce the the size of the local database that one has to maintain down to just Resolver groups and admins? I'd like to hear how others have approached this mitigation.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2015 01:05 PM
Hi Kurt,
Is the context a hosted ServiceNow instance?
If so you can create local users in the sys_user table and use side_door.do to access the instance.
Creating Users and Associating to a Group - ServiceNow Wiki
External Authentication (Single Sign-On - SSO) - ServiceNow Wiki
..
3.1 Bypassing External Authentication
Administrators may need to bypass external authentication when testing an SSO integration. Administrators can use the following URL to bypass external authentication and log in with a local ServiceNow user. Note that a logged-in user cannot access this page. Attempting to access this page while logged in produces a page not found error.
http://<your-instance>.service-now.com/side_door.do
Best Regards
Tony
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-22-2015 02:16 PM
This is what we do. Our administrator accounts have passwords in ServiceNow, so even if SSO fails, then we can log in and verify that ServiceNow is not the culprit.
Our administrators have a normal ITIL User account that is the same as their normal domain credentials. Then we manually create an admin account in ServiceNow. That way when they need to do things as a regular user, like submitting an Incident or updating a Catalog task that's assigned to them, they can do it as a regular user. This dogfooding helps us by letting us know what it's like to use the system as a regular user.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2015 02:59 AM
In this case, with the administrators having two accounts (An ITIL user account and an Administrator Account) are they consuming two licenses each?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-05-2015 03:40 AM
That is a very good question. I assume they would be if you set it up that way, but I'm not certain. I was talking about the same account privileges just enabled for local logon as well as through ADFS. As I read the Wiki, it is possible to do this, just more work to administer.
