SSO - allow remote access to single ESS Portal, backend access to company devices only

Tyson3
Tera Contributor

‎08-09-2024 08:46 AM - edited ‎08-09-2024 08:48 AM

Hi All,

Hoping someone has accomplishing something similar.   We have a single SSO provider to allow users to login to the SN platform.  We want to :

  1. Enable remote access (personal devices) to only a single ESS Portal using SSO Provider
  2. Restrict backend access to ServiceNow using company devices only using same SSO provider as #1

I'm struggling to find where we would configure this setup.  Would this be restrictions setup on the SSO provider side or would this be restrictions setup on the SN side, maybe based on IP ranges.   If on the SN side, what features would we use for this?

Thanks in advance if anyone has seen this use case before and has a recommendation!

 

0 Helpfuls
  • 737 Views
10 REPLIES 10

Allen Andreas
Administrator
Administrator
In response to Randheer Singh

‎08-11-2024 03:01 PM

Hi,

I think this is a good callout, but there's a few more pieces to all that:

  • As you've mentioned, the IdP would need to be configured to assess the user's device and send that attribute
  • The instance would need to be configured to read that attribute and decide what to do (Zero Trust feature here)
  • If Zero Trust, that's an additional paid subscription?
  • Then as far as the access on the instance, that still doesn't handle allowing them platform or only portal, so that would have to be handled separately as using the Zero Trust roles piece may not be "the solution", however, injecting a session attribute could be read within a UI Script and then help redirect as needed without too much configuration on the instance.

Let me know if I'm off on the above?


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls

Randheer Singh
ServiceNow Employee
ServiceNow Employee
In response to Allen Andreas

‎08-11-2024 07:55 PM

  • Yes, Zero Trust Access is an additional subscription.

  • The UI script redirection-based approach must be used in conjunction with role removal; otherwise, an experienced user may find easy ways to access tables/data by carefully crafting a URL. Admins must ensure that only limited roles are available in the sessions, which gives just enough access to the user to access the ESS portal.

 

0 Helpfuls

Tyson3
Tera Contributor
In response to Randheer Singh

‎08-12-2024 09:54 AM - edited ‎08-12-2024 11:16 AM

Thank you for the information on this! A problem I see with using ZeroTrust is that we have overall 1200 roles in our instance.  This sounds like it would become a maintenance nightmare to continually have to add/remote roles for each policy.  Am I understanding that correctly?

Also, I'm still struggling with how we would know whether the device is company/personal.  Is really the only option to know this based on IDP sending a flag over and updating the user record?   What if the user logs in with two different devices (one company and one personal).  It would have to track that device by session somehow...

0 Helpfuls

Randheer Singh
ServiceNow Employee
ServiceNow Employee
In response to Tyson3

‎08-12-2024 06:24 PM

Hi @Tyson3 ,
The Zero Trust Access (ZTA) feature allows security admins to limit a session's privileges to specific roles based on a policy. The policy provides two options.

1. Remove roles

2. Limit to roles 

In your case, you can limit access to a role(s) that gives access to the ESS portal. You do not need to craft policies to remove/manage all the 1200 roles individually.

Your second question concerns how we would know whether the device is company or personal. We have to rely on an identity provider, which most often offers the capability of integrating with a device management solution.

When a user logs in, the IdP can include an attribute in the SAML response to specify whether the device is managed. On the ServiceNow platform side, we can use this information to evaluate policies and decide the session privileges dynamically. All this is session-specific. If a user logs in with two different devices (one company-managed and one personal), they will see different levels of privileges in the respective sessions.

Here is the NowLearning course on Zero Trust Access for more information.
Zero trust access product documentation.

 

Please don't hesitate to reach out if you need additional information/clarification.

Thanks,

Randheer

0 Helpfuls

Tyson3
Tera Contributor
In response to Randheer Singh

‎08-15-2024 06:11 AM

Hi Randheer,

 

We are interested in pursuing Zero Trust, only thing is we reached out to our microsoft support and they mentioned this:
"The attributes and claims we are passing are user-based, not device-based. In the attributes and claims under Azure enterprise applications, there is no attribute to pass a managed device as a claim."
Is there some other tool that you are aware of that could be used in conjunction with microsoft to send this flag through saml?

0 Helpfuls