MID Server when using SAML
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-10-2013 01:06 PM
We have had Service-now up and running for a few years and are implementing a MID server. Our users authenticate to Servicenow with SAML.
We're being told by a consultant that for the MID server to connect to Servicenow, it needs to use the side door. This doesn't make sense to me, since we already have web services connecting for other purposes, and none of them use the side door (they use BasicAuth to authenticate).
Am I correct, that if properly implemented, all the communication between the MID server and Servicenow is via web services, and thus should be able to connect using BasicAuth, just like our other web services?
If I am wrong, why? What is different between the MID server's connectivity and our other web services?
Thanks,
Mister Paul
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-14-2013 07:15 AM
We currently have several MID Servers up and running (Berlin and Calgary - eval). We have a heavily secure environment. Everything we use for our MID Servers is BasicAuth. The userid and password are located in the MID Server config file located on the MID Server. You will need to configure these accordingly as well as what instance you are pointing to, and what you have named your MID Server service (for display in Service-Now). After spinning up, the MID Server encrypts the password, and places the server sys_id (obtained from your Service-Now instance) into the config. Port 443 will need to be open for the communication to occur between MID Server and SN.
See section 4: http://wiki.servicenow.com/index.php?title=MID_Server_Requirements
I have never heard of communicating to SN with the MID Server via SAML. Usually SAML is used for/by SSO applications, and I may be wrong here, but should not be something you would use for MID Server connectivity.
Hope that helps,
Steven Bell
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-15-2013 07:15 AM
SAML is only used for interactive users. All non-interactive communication (MID Server, web services, etc) will use basic auth or ws-security to authenticate inbound requests. Non-interactive communication should never point to side_door.do
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
07-19-2013 04:13 PM
Good Evening.
Both above comments are 100% correct. The MID Server uses SOAP to connect, which uses Basic Auth.
For debugging purposes, you can look in the Script Includes table for the BasicAuth script include. First, make sure its Active, then you can add logging statements to it if you need to to debug where the issues are arising.
I had a client a long time ago that needed some more advanced IP Authorization, so we had to update this file to look at a custom table for definitions to determine if a particular IP address was allowed to use Basic Auth.
Also, be sure to check the logs and see if the string "Basic authentication failed for user:" to see if the mid server account is even getting to the instance.
But overall, SAML has nothing to do with Web Services in ServiceNow.
Thanks,
Chris Nanda
Blue Horizon Systems
