Hello,
We have just purchased Servicenow and are about to set up the architecture.
The first things we are interested in are authentication/authorization.
As we don't have an IDP (Identity Provider), we are unable to produce SAML v2.0 token, so there is no way to implement SSO, do you Agree ?
If there is no way for SSO, then the second option is to use the corporate Active Directory for authentication via LDAPS : http://wiki.servicenow.com/index.php?title=LDAP_Integration
Please tell me if something is wrong in the following statements summarizing my understanding of Servicenow authentication/authorization mechanism.
- LDAP integration for authentication is possible through the MID Server, so no need to think to put the LDAP instance on the DMZ (http://wiki.servicenow.com/index.php?title=LDAP_Integration_via_MID_Server_Setup)
- The LDAP instance reside in the corporate Intranet (LAN) and we must set up a rooting rules form the MID Server (located in the DMZ), to the LDAP (port 636), in order to fulfill read-only operations.
- The users (some of their attributes), must be imported into Servicenow database, via LDAP, it is recommended to do a regular refresh for keeping information up to date.
- The authorization is managed at Servicenow level, and on Serviceow database, no way to manage authorizations based on LDAP groups located on the LDAP instance in the corporate LAN.
- The MID Server is the only spot exposed to the public network in the company, no need to open a VPN connection with Servicenow.
In which case we can be obliged to have a VPN connection with Servicenow ?
If you have any ideas or best practices regarding our need, please do not hesitate to give us details.
- Regards.
