Provision users using SAML and send AD group memebership through SAML claim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-16-2017 07:36 AM
Hi
We are trying to setup service now and provision all users using saml, essentially we were looking to provide authentication and pass all security group information within a claim
I have checked Servicenow Mapping Assist I can see only certain Sources, no group specific so by passing group over to Servicenow it creates http://schemas.microsoft.com/ws/2008/06/identity/claims/role
so it does pass an information.
So the main questions are:
1. How do I create additional sources that are understood by service now
2. how do I send multiple group membership (such as send all claims with AD groups starting with Servicenow)
I've done below in SAML to filter and send groups:
Get all groups user belongs to:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"]
=> add(store = "Active Directory", types = ("http://schemas.microsoft.com/ws/2008/06/identity/claims/role"), query = ";tokenGroups;{0}", param = c.Value);
Send specific group(s)
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "^(?i)SERVICENOW"]
=> issue(claim = c);
Anyone got any ideas?
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-17-2017 12:04 AM
Hello Maks,
As far as I know, Groups are not imported OOB in SAML user provisioning. When using Mapping assist, you see the only sources which are available in your provisioning import set table. When you're sending groups data from your AD side, please check if this is reaching your import set table or not.
If not then I believe you should look into script include "MultiSSO_SAML2_UserProvisioning" as you may need to customise it in order to achieve this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎08-17-2017 01:23 AM
I've managed to achieve what I really wanted to do even though it probably doesn't follow any standard
Originally I had a table appearing saying http://schemas.microsoft.com/ws/2008/06/identity/claims/role so it is clear ServiceNow unable t understand the schema (my guess)
But then I've created another claim to send group membership and call it something reasonable
c1:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "(?i)Group name1"]
&& c2:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "(?i)group name2"]
&& c3:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/role", Value =~ "(?i)group name3"]
=> issue(Type = "Group Memebership", Value = c1.Value + "," + c2.Value + "," + c3.Value);
It has automatically imported into the table as per below
Type Value
Group Membership Group Name1, Group Name2, Group name3
Which hopefully can be mapped using map assistant to the roles in the service now
It is not brilliant and a bit rough on the edges, more like manual but it appears does the job. I will check and see whether it can be improved to make it scalable as at the moment it is more of manual task
