Servicenow and LDAP integration through the MID Server for Auth/Authz

Go to solution
iammi
Kilo Explorer

‎04-13-2015 01:17 AM

Hello,

We have just purchased Servicenow and are about to set up the architecture.

The first things we are interested in are authentication/authorization.

As we don't have an IDP (Identity Provider), we are unable to produce SAML v2.0 token, so there is no way to implement SSO, do you Agree ?

If there is no way for SSO, then the second option is to use the corporate Active Directory for authentication via LDAPS : http://wiki.servicenow.com/index.php?title=LDAP_Integration

Please tell me if something is wrong in the following statements summarizing my understanding of Servicenow authentication/authorization mechanism.

  • LDAP integration for authentication is possible through the MID Server, so no need to think to put the LDAP instance on the DMZ (http://wiki.servicenow.com/index.php?title=LDAP_Integration_via_MID_Server_Setup)
  • The LDAP instance reside in the corporate Intranet (LAN) and we must set up a rooting rules form the MID Server (located in the DMZ), to the LDAP (port 636), in order to fulfill read-only operations.
  • The users (some of their attributes), must be imported into Servicenow database, via LDAP, it is recommended to do a regular refresh for keeping information up to date.
  • The authorization is managed at Servicenow level, and on Serviceow database, no way to manage authorizations based on LDAP groups located on the LDAP instance in the corporate LAN.
  • The MID Server is the only spot exposed to the public network in the company, no need to open a VPN connection with Servicenow.

In which case we can be obliged to have a VPN connection with Servicenow ?

If you have any ideas or best practices regarding our need, please do not hesitate to give us details.

  1. Regards.
0 Helpfuls
  • 5,398 Views
1 ACCEPTED SOLUTION

Go to solution
tony_barratt
ServiceNow Employee
ServiceNow Employee
In response to iammi

‎04-14-2015 12:04 PM

Hi AMMI,



Consider marking the question as answered, or marking replies as helpful as appropriate.


This will add value to Community Members reading this thread.



Best Regards



Tony


View solution in original post

0 Helpfuls
11 REPLIES 11

Go to solution
iammi
Kilo Explorer
In response to tony_barratt

‎04-13-2015 05:41 AM

Thank you,



But I dont think if Servicenow are aware of how complicated to convince people to put their DC on the internet, not a common configuration.



I think VPN will be more rational.



Regards


0 Helpfuls

Go to solution
tdf
Kilo Expert
In response to iammi

‎04-13-2015 05:43 AM

Mid servers live within your environment. They only need to be communicate outbound via TCP/443 to ServiceNow and have access to a DNS server.   There is no inbound communication to the Mid server.


0 Helpfuls

Go to solution
tony_barratt
ServiceNow Employee
ServiceNow Employee
In response to tdf

‎04-13-2015 06:08 AM

Tim,



I do not see a MID server and LDAP to be a solution for AMMI - LDAP authentication is not possible via the MID Server.




AMMI,


You Don't Need A VPN Part II - LDAP Integrations, User Data Imports, & the Internet solution


..


Using LDAPS-over-the-Internet

..


When using LDAPS-over-the-Internet without a VPN tunnel, is the server exposed to the Internet? Microsoft introduced the concept of a Read Only Domain Controller (RODC) in Windows 2008, which can be configured to not store any passwords. Since ServiceNow never asks for a password and makes a read-only Bind query to validate a token instead, this technology is perfect for our use case. Simply install an RODC in a DMZ, lock down access to allow connections from only the specific source addresses from ServiceNow and the port number of your choosing (since you can configure this in the Instance), and an attacker would be hard-pressed to obtain that information. Top that off with the fact that an attacker would need the key that you export and upload to your Instance (again over an encrypted channel), along with the username, password, and starting directory that you configure, and you have a very secure connection point.



All this to say, LDAPS-over-the-Internet will give you the flexibility to make changes to your environment quickly and efficiently without the need to engage ServiceNow to modify a tunnel. Your LDAPS-over-the-Internet solution would look something like this:



  1. You have a domain controller in your network. You install an RODC in a DMZ with a public IP address.
  2. On your firewall, you allow connections to that public IP address from only the specific source addresses that ServiceNow will be using from the two (paired) data centers where your instances are located.
  3. You further lock down access to a port of your choosing and do a port translation (PAT) on your firewall to redirect the non-standard port to port 636 (LDAPS).
  4. You then configure the non-standard port in your instance and upload the SSL cert over an encrypted channel.
  5. If you want to get really creative, you could also implement stateful inspection to ensure that only LDAP traffic is passing through, thereby preventing other TCP connections to your RODC.


Best Regards



Tony


0 Helpfuls

Go to solution
tdf
Kilo Expert
In response to tony_barratt

‎04-13-2015 06:13 AM

Good point.   I was reading too fast.   I thought he was saying he didn't want a Mid on the Internet.   Another alternative (a bad one albeit) is to use the legacy authentication methods.   Oh well.   He's going to be using a VPN it looks like


0 Helpfuls

Go to solution
iammi
Kilo Explorer
In response to tony_barratt

‎04-13-2015 06:13 AM

Thank you Tony,



I would prefer VPN solution.



Regards


0 Helpfuls