SSO for only some users

UPASANA2 · ‎05-06-2015

Is it possible to make SSO available only for some users and not for all user?

Kenny Wimberly · ‎10-07-2015

Upasana,

As others have mentioned, you will need to use the methods here: Multiple Provider Single Sign-On - ServiceNow Wiki. The one thing that was not mentioned was that you can setup federation. If you want some users to use SSO and not others, you will want to review the documentation on that same page in section 3.3 and also section 5. Here's an excerpt:

3.3 Configuring Users for Multi-Provider SSO

Administrators can configure Multi-Provider SSO for individual users or for all users who belong to a company. You cannot configure Multi-Provider SSO for groups.

Navigate to Multi-Provider SSO > Identity Providers.
Right-click an identity provider record and select Copy sys_id.
Copy the data to your clipboard.
Navigate to a user record or a company record.
Configure the form and add the SSO Source field.
In the SSO Source field, enter one of the following:
- SAML users: enter sso: followed by the sys_id of the identity provider's record.
- SSO Federation users: enter federation: followed by the sys_id of the federation record. For more information on SSO Federation, see Configuring SSO Federations.
Click Update.

Hope this was helpful for you!

Kenny

Uncle Rob · ‎01-12-2018

BY THE POWER GRANTED ME BY COMMUNITY I COMMAND THIS THREAD TO RISE FROM THE GRAVE!

So docs mentions federation only in the context of "users choosing their SSO source". Is there any way to make it so ...

If user.company = "Vogon Constructor Fleet" then use IdentityProviderXYZ

else if user.company = "Bugnostroclum Fan Club" then use ID/password as stored in ServiceNow?

Kenny Wimberly · ‎01-12-2018

@Robert

What I have done and typically do is this:

Setup the IDPs, note the sys_ids of each
Ensure all relevant users have a company associated to them
Update the relevant company records' SSO Source fields respectively with: sso:<sys_id of the IDP they need to use>
When instructing users to login, have them use the login.do the first time and select the "Use external login" link on that page
This takes them to the login_locate_sso.do page where they put their user id in (the SN user id)
Once they do this, it then locates their user record, looks at the company associated to their user record, and then pulls the right IDP that's tied to their company

They only have to do this one time. It stores it in the browser so that each subsequent time it will just take them to the correct SSO login.

Here's the caveat to that: If they clear their browser cache or use a private browsing window, they will need to go through the same steps again with the login.do and use external login.

I'm going to answer the next question, which is "how can we automate this process?". Well, at this point, it's not feasible because the first login to an instance and with clean browser cache, SN has no idea who you are. So, it stands to reason that you need to tell SN who you are, the first time, so that it can store a token for future use.

Unless someone else has figured out a way for SN to know who you are in a multi-provider SSO scenario, I do not readily know of a way. Although, I've long suspected we could get kerberos information from the browser for the logged in user. I haven't gotten that far with it.

Hope this helps!

Uncle Rob · ‎01-17-2018

Ok, so in the case of my "Vogon Constructor Fleet" users, everything is fine. They're going to Okta and everything is wonderful.
In the case of "Bugnostroclum Fan Club" users, I want them to use ServiceNow itself. How would I set up an IDP for the local servicenow instance? (does that question even make sense?)

Uncle Rob · ‎01-17-2018

Wait... I think I get it now. With multiple SSO providers users will still hit the base SN login screen. From there they can click the "use external login".

THAT will allow them to pick Okta (or anything else). If they dont' want to pick Okta, they log in via SN directly. Is that about right?