SSO with multiple AD servers

Go to solution
Stephen W_
Giga Guru

‎04-12-2017 09:52 AM

Two companies have merged, but they still have two distinct AD servers.

The goal going forward is for one company to transition into using the other's ServiceNow instance and adopt the other's IT processes.

This instance is already configured using ADFS and SSO with SAML 2.0.

Domain separation is not preferred as we want the catalog to be shared and service desk to service both entities.

I imagine collecting users from both AD servers via LDAP would not be significantly more difficult than just repeating the process for the new server.   However, I've not set up user import/authentication/sso using more than one provider, (a second AD server with ADFS) and I'm curious about potential pitfalls/obstacles.

1. Does Multiple provider SSO handle this easily?

2. Are there additional considerations when using two systems containing different sets of users/groups?

3. Would Domain separation impact this significantly, either simplifying or complicating?

Thanks,

-Stephen

0 Helpfuls
  • 4,976 Views
1 ACCEPTED SOLUTION

Go to solution
John Diaz
Kilo Guru

‎04-12-2017 03:34 PM

1. We have a domain separated environment with multiple domains using LDAP and SSO without a problem.


In the user record, you define what SSO sys_id to use. So just ensure that in the transform map for the user import is defining SSO as: "answer = 'SSO:<sys_id of sso>'"



2. Just make sure the transform map defines whatever fields you may need defined to separate the users. Like Company (if necessary), LDAP Server, SSO, etc..



3. Domain separation really doesn't affect this. We have all the LDAP, SSO IdP configurations at Global, and define the LDAP Server and SSO in the transform map inside the LDAP configuration. From that transform map, we define the company and domain for the users being pulled, but to answer your question, since everything is being configured at a higher level, domain separation really doesn't change anything.



Hope that helps.


View solution in original post

7 REPLIES 7

Go to solution
John Diaz
Kilo Guru
In response to jules2

‎11-28-2018 11:58 AM

One client has a link on their intranet homepage that uses the IdP Parameter URL (found here).

The other just hits the login page and clicks the 'Use External Login' link.

0 Helpfuls

Go to solution
jules2
Kilo Expert
In response to John Diaz

‎11-28-2018 12:40 PM

Do you know if there is a way to force these without having to click use the external link that way you bypass the SN login page and always use the IDP provider.

0 Helpfuls

Go to solution
Robin Bakker
Kilo Guru
In response to jules2

‎10-14-2022 06:32 AM

Hi Jules, 

Have you ever been able to get this succesfully configured? I also don't want my users to click on extra buttons. I think Azure should be smart that based on your logon id and the link you used to define the right application/tenant id. 

If my answer has helped with your question, please mark it as correct and helpful.

Kr!
Robin
0 Helpfuls