ADFS vs Direct LDAPS

rpiekarski
Mega Contributor

‎02-20-2014 10:39 AM

We are currently configured to use direct LDAPS integration with Service-Now linked to our active directory. We are looking at moving to AD LDS/ADFS model.

 

What do we give up by moving this direction?

 

Aside from a more comfortable security model, what do we gain?

 

We have researched both but are unable to find a direct comparison of capabilities.

0 Helpfuls
  • 9,374 Views
12 REPLIES 12

Community Alums
Not applicable

‎02-20-2014 12:05 PM

Well I think there are really two different things you have to think about.



1) How you are going to populate your user data


2) How you are going to handle authentication



OOB the LDAP/LDAPS connection handles both 1 and 2. Assuming you're on AD, SN's integration runs a scheduled import of all users in the specified containers/OUs and a listener for newly updated users as well as checking the entered password against what the AD server is holding.



The only thing you will be able to use the ADFS integration for is authentication. It interfaces with the Servicenow SAML 2.0 plugin to allow SSO with your AD user and Service-now instance. As far as I'm aware Service-now has no way to utilize ADFS to import users OOB. If you want to transition off an LDAPS integration for the import, you can always use a MID server to bring the user data (assuming you're on Dublin) or another method (ftp, sftp, et al) to grab flat files for the import data.



Configuring ADFS 2.0 to Communicate with SAML 2.0 - ServiceNow Wiki



Someone can correct me if I'm wrong, but there shouldn't be anything stopping you from using both at the same time as I believe the SAML plugin authentication attempt would supersede the LDAPS authentication attempt.


rpiekarski
Mega Contributor
In response to Community Alums

‎02-20-2014 12:54 PM

Correct, we currently use the AD integration to do both and will be moving to a ADFS for the authentication piece. User data will continue to come from AD until we put in some type of metadirectory. The question is; are there inherent capabilities in Service-Now that we will give up following this model?



I have found references to password resets, discovery, and workflows that may be impacted but nothing definitive.


Community Alums
Not applicable
In response to rpiekarski

‎02-20-2014 01:15 PM

The workflow and password reset stuff is likely related to Orchestration. Not really sure what the LDAP connection would do in relation to Discovery other than let discovery populated fields like 'assigned to' on CIs with LDAP populated records. As long as you're still pulling in the user data, I don't think you're missing anything.


rpiekarski
Mega Contributor
In response to Community Alums

‎02-20-2014 02:40 PM

Thanks