Azure AD & ServiceNow #4 - Connecting Azure and ServiceNow Together

Logan Poynter
Mega Sage
Mega Sage

on ‎11-21-2022 06:00 AM

This is a 4 part series

  1. Setting Up Our Test Azure & ServiceNow Accounts
  2. Preparing our ServiceNow Personal Developer Instance
  3. Adding ServiceNow Enterprise Application & Initial Setup
  4. Configure Azure SSO & Provisioning (this article)

We’ve reached the end, and this is where the magic happens. So far we’ve prepared out ServiceNow instance, configured Azure for the users and groups that we want provisioned, and all that is left is to connect the two systems together!

To start out, make sure you’re in your Azure tenant and go to Single Sign-On in the left sidebar, and you’ll be met with three options as shown below, you’ll want to choose SAML.

 

Untitled.png

 


 

Now click on Edit to the right of step one and populate the corresponding values as I have them outlined below and click Save.

Note: Make sure to replace <instancename> with your respective PDI instance name.

  • Identifier (Entity ID): https://<instancename>.service-now.com
  • Reply URL: https://<instancename>.service-now.com/navpage.do
  • Sign on URL: https://<instancename>.service-now.com/navpage.do
  • Logout URL: https://<instancename>.service-now.com/navpage.do

Untitled2.png

 


 

Next, scroll to step 4 and choose “View step-by-step instructions”. You’ll see that this process is now able to be configured automatically rather than manually as show in Microsoft documentation. This is where your user account for the Azure integration we created in step 2 will come into play. Enter your instance name (should auto populate for you, the username and password for your integration user, ensure “Make this the default identity provider for ServiceNow” is checked and click Configure Now. After a moment, you’ll see a success message.

 

Untitled3.png

 Untitled4.png

 

 


 

 

Note: If you receive an error make sure you provided admin role to the integration user you are using.

The final step is to turn provisioning on. To do this, choose provisioning from the left sidebar within Azure and choose Get started.

 

Untitled5.png

 


 

Provisioning mode will be Automatic and once more you’ll be prompted for your admin integration user credentials. Input your credentials and click Test to ensure they are accepted and then click Save. Next refresh your screen and you’ll see Provisioning Status which is set to off. Toggle this on and click save.

 

Untitled6.png

 

 

For the sake of this tutorial I am not going to be covering mappings, but I will be making a follow up going into detail on this aspect of the integration.

Now that provisioning is turned on, return to the Provisioning screen and click Start provisioning.

 

Untitled7.png

 


 

Once you do so, depending on the amount of groups and users you provision, you may see this complete instantly (as in my case with 1 group and 4 users). I’ve seen it take about an hour for larger enterprises.

At this point, you can go to your instance and login with SSO using one of the users you provisioned. You may notice that it does not automatically go to SSO login - this is normal. To change this, go to the Microsoft Azure Federated Single Sign-on for MSFT Identity Provider under Multi-Provider SSO > Identify Provider and click the “Set as Auto Redirect IdP” related link.

 

Untitled8.png

 


 

At this point, you’re finished! Pat yourself on the back! Azure automatic provisioning occurs every 40 minutes for subsequent automatic cycles so any changes you make now - adding new users, groups, changing a user’s properties, will update within the ServiceNow environment on the next cycle.

If you have any questions, don't hesitate to comment, reach out directly, or connect with me on LinkedIn and I'll be happy to help! 

  • 2,823 Views
Comments
Logan Poynter
Mega Sage
Mega Sage
‎12-06-2022 11:11 AM

.

0 Helpfuls
Tobi3
Tera Contributor
‎06-02-2023 08:11 AM

Thanks for sharing!
How do you manage group provisioning for multiple instances (dev, qa, prod)?

The created groups in ServiceNow have different sys_ids across the different instances. 

This results in transported notifications, workflows etc. referencing the wrong (or nonexistent) group.

0 Helpfuls
Logan Poynter
Mega Sage
Mega Sage
‎06-06-2023 05:11 AM

@Tobi3 You would provision the groups to Production and then clone down over your lower instances. 

0 Helpfuls
Matt Forder
Tera Expert
‎08-03-2023 11:04 PM

@Logan Poynter - thanks for posting this series of articles - very useful! Just following on from this quote from your post:

 

"For the sake of this tutorial I am not going to be covering mappings, but I will be making a follow up going into detail on this aspect of the integration."

 

Have you published the follow-up re: mappings and if so could you provide a link to it?

0 Helpfuls
amit_kishore
Tera Contributor
‎11-30-2023 11:41 PM

@Logan Poynter, this is nice article, and I have followed the same steps to do configure the SSO and User Provisioning. However, I am stuck with one attribute where I need VIP data from Azure AD to ServiceNow. 

Since this is not core in Azure AD hence, we have created one custom variable and passing these values to the ServiceNow. 

The challenges we have, we are receiving these VIP values (true/false) as type = "Sting" from Azure AD to ServiceNow thought the VIP fields is type = "Boolean" (with value true/false) in the ServiceNow. Due to this ServiceNow is not picking up values of VIP (coming from Azure AD to ServiceNow) despite of transform field mapping. 

On this, we need your guidance. 

 

Regards,

Amit

0 Helpfuls
Version history
Last update:
‎11-15-2022 05:48 PM
Updated by:
Mega Sage
Contributors