Multiple AD Domain

Mansor2
Tera Contributor

 

Hello experts.

We have a request, where we need setup and enable authentication via Single Sign-On(SSO) for all company users for ITSM. The users are from different AD domains (e.g. Business Units 1, 2 & 3 etc) and is most likely using devices from their respective domains to connect to ServiceNow. 

 

Can this be achieved, is there a docs link that anyone can share? 

 

Thanks in advance.

Regards

2 REPLIES 2

Murtaza Saify
Tera Contributor

1. Prerequisites

  • Ensure you have administrative access to ServiceNow and all AD domains.

  • Obtain the metadata files or configuration details from each AD domain’s Identity Provider (IdP).

  • Ensure the ServiceNow instance URL is accessible from all domains.


2. Configure SSO in ServiceNow

Option 1: SAML-Based SSO

SAML is the most common method for SSO integration with multiple AD domains.

  1. Enable SSO in ServiceNow:

    • Navigate to System Definition > Plugins and ensure the Multi-Provider SSO plugin (com.glide.multi_provider_sso) is activated.

  2. Configure SAML:

    • Go to System Security > Single Sign-On > Properties.

    • Enable SAML 2.0 and configure the following:

      • ServiceNow Entity ID: Unique identifier for your ServiceNow instance.

      • ServiceNow Single Sign-On URL: https://<your-instance>.service-now.com/sso/saml.do

      • ServiceNow Logout URL: https://<your-instance>.service-now.com/logout.do

  3. Add Multiple Identity Providers (IdPs):

    • For each AD domain, add a new IdP configuration:

      • Navigate to System Security > Single Sign-On > Identity Providers.

      • Click New and provide the following:

        • Name: Name of the IdP (e.g., AD Domain 1).

        • Entity ID: Unique identifier for the IdP (from the metadata file).

        • Single Sign-On URL: IdP’s SSO URL (from the metadata file).

        • Certificate: Upload the IdP’s certificate (from the metadata file).

      • Repeat for each AD domain.

  4. Configure Attribute Mapping:

    • Map the user attributes (e.g., username, email) from each IdP to ServiceNow fields:

      • Navigate to System Security > Single Sign-On > Attribute Mapping.

      • Create a new mapping for each IdP.

  5. Test SSO:

    • Log in to ServiceNow using credentials from each AD domain to verify SSO works.


Option 2: OAuth-Based SSO

If your AD domains support OAuth (e.g., via Azure AD), you can use OAuth for SSO.

  1. Enable OAuth in ServiceNow:

    • Navigate to System OAuth > Application Registry.

    • Create a new OAuth provider for each AD domain.

  2. Configure OAuth for Each AD Domain:

    • For each AD domain, provide the following:

  3. Test OAuth:

    • Log in to ServiceNow using credentials from each AD domain to verify OAuth works.


3. Configure Multi-Provider SSO

If users from different domains need to log in simultaneously, configure Multi-Provider SSO:

  1. Enable Multi-Provider SSO:

    • Navigate to System Security > Single Sign-On > Properties.

    • Enable Multi-Provider SSO.

  2. Configure Login Pages:

    • Create a custom login page that allows users to select their domain:

      • Navigate to System UI > Pages.

      • Create a new page with buttons or links for each domain’s SSO login.

  3. Redirect to Domain-Specific IdP:

    • Use JavaScript or a custom widget to redirect users to the appropriate IdP based on their selection.


4. Additional Configuration

  1. User Provisioning:

    • Ensure users from all domains are provisioned in ServiceNow.

    • Use LDAP Integration or SCIM to sync users from each AD domain.

  2. Roles and Access Control:

    • Assign appropriate roles to users based on their domain or business unit.

    • Use Access Control Lists (ACLs) to restrict access as needed.

  3. Logging and Monitoring:

    • Enable Audit Logs to track SSO login attempts.

    • Use ServiceNow’s Security Operations module to monitor for suspicious activity.


5. Testing and Validation

  • Test SSO login for users from each AD domain.

  • Verify that users are redirected to the correct IdP and can log in successfully.

  • Ensure proper role assignments and access control.


6. Troubleshooting

  • SSO Failures:

    • Check the SSO Debug Logs in ServiceNow (System Security > Single Sign-On > Debug Logs).

    • Verify the IdP configuration (e.g., URLs, certificates).

  • User Provisioning Issues:

    • Check the LDAP/SCIM logs for errors.

    • Ensure user attributes are correctly mapped.

Mansor2
Tera Contributor

This is helpful, would you have docs link from ServiceNow to add along my response. That would be helpful.