Multiple AD Domain
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2025 02:51 PM
Hello experts.
We have a request, where we need setup and enable authentication via Single Sign-On(SSO) for all company users for ITSM. The users are from different AD domains (e.g. Business Units 1, 2 & 3 etc) and is most likely using devices from their respective domains to connect to ServiceNow.
Can this be achieved, is there a docs link that anyone can share?
Thanks in advance.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2025 06:02 AM
1. Prerequisites
Ensure you have administrative access to ServiceNow and all AD domains.
Obtain the metadata files or configuration details from each AD domain’s Identity Provider (IdP).
Ensure the ServiceNow instance URL is accessible from all domains.
2. Configure SSO in ServiceNow
Option 1: SAML-Based SSO
SAML is the most common method for SSO integration with multiple AD domains.
Enable SSO in ServiceNow:
Navigate to System Definition > Plugins and ensure the Multi-Provider SSO plugin (com.glide.multi_provider_sso) is activated.
Configure SAML:
Go to System Security > Single Sign-On > Properties.
Enable SAML 2.0 and configure the following:
ServiceNow Entity ID: Unique identifier for your ServiceNow instance.
ServiceNow Single Sign-On URL: https://<your-instance>.service-now.com/sso/saml.do
ServiceNow Logout URL: https://<your-instance>.service-now.com/logout.do
Add Multiple Identity Providers (IdPs):
For each AD domain, add a new IdP configuration:
Navigate to System Security > Single Sign-On > Identity Providers.
Click New and provide the following:
Name: Name of the IdP (e.g., AD Domain 1).
Entity ID: Unique identifier for the IdP (from the metadata file).
Single Sign-On URL: IdP’s SSO URL (from the metadata file).
Certificate: Upload the IdP’s certificate (from the metadata file).
Repeat for each AD domain.
Configure Attribute Mapping:
Map the user attributes (e.g., username, email) from each IdP to ServiceNow fields:
Navigate to System Security > Single Sign-On > Attribute Mapping.
Create a new mapping for each IdP.
Test SSO:
Log in to ServiceNow using credentials from each AD domain to verify SSO works.
Option 2: OAuth-Based SSO
If your AD domains support OAuth (e.g., via Azure AD), you can use OAuth for SSO.
Enable OAuth in ServiceNow:
Navigate to System OAuth > Application Registry.
Create a new OAuth provider for each AD domain.
Configure OAuth for Each AD Domain:
For each AD domain, provide the following:
Client ID: From the AD domain’s OAuth app.
Client Secret: From the AD domain’s OAuth app.
Token URL: OAuth token endpoint (e.g., https://login.microsoftonline.com/<tenant-id>/oauth2/token).
Authorization URL: OAuth authorization endpoint (e.g., https://login.microsoftonline.com/<tenant-id>/oauth2/authorize).
Test OAuth:
Log in to ServiceNow using credentials from each AD domain to verify OAuth works.
3. Configure Multi-Provider SSO
If users from different domains need to log in simultaneously, configure Multi-Provider SSO:
Enable Multi-Provider SSO:
Navigate to System Security > Single Sign-On > Properties.
Enable Multi-Provider SSO.
Configure Login Pages:
Create a custom login page that allows users to select their domain:
Navigate to System UI > Pages.
Create a new page with buttons or links for each domain’s SSO login.
Redirect to Domain-Specific IdP:
Use JavaScript or a custom widget to redirect users to the appropriate IdP based on their selection.
4. Additional Configuration
User Provisioning:
Ensure users from all domains are provisioned in ServiceNow.
Use LDAP Integration or SCIM to sync users from each AD domain.
Roles and Access Control:
Assign appropriate roles to users based on their domain or business unit.
Use Access Control Lists (ACLs) to restrict access as needed.
Logging and Monitoring:
Enable Audit Logs to track SSO login attempts.
Use ServiceNow’s Security Operations module to monitor for suspicious activity.
5. Testing and Validation
Test SSO login for users from each AD domain.
Verify that users are redirected to the correct IdP and can log in successfully.
Ensure proper role assignments and access control.
6. Troubleshooting
SSO Failures:
Check the SSO Debug Logs in ServiceNow (System Security > Single Sign-On > Debug Logs).
Verify the IdP configuration (e.g., URLs, certificates).
User Provisioning Issues:
Check the LDAP/SCIM logs for errors.
Ensure user attributes are correctly mapped.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2025 02:57 PM
This is helpful, would you have docs link from ServiceNow to add along my response. That would be helpful.