ADFS vs Direct LDAPS

rpiekarski
Mega Contributor

‎02-20-2014 10:39 AM

We are currently configured to use direct LDAPS integration with Service-Now linked to our active directory. We are looking at moving to AD LDS/ADFS model.

 

What do we give up by moving this direction?

 

Aside from a more comfortable security model, what do we gain?

 

We have researched both but are unable to find a direct comparison of capabilities.

0 Helpfuls
  • 9,199 Views
12 REPLIES 12

Mark Laucus
Giga Guru
In response to rpiekarski

‎02-20-2014 03:47 PM

One thing we ran into is account creation.   Using LDAPS we could add an user record in ServiceNow just by a person logging in.   With ADFS we have to perform a scheduled directory synchronization to import the new user accounts.   It just affected some of our provisioning activities and I had to up how many time I perform directory synchronizations.


sherard
Mega Expert

‎04-21-2014 01:09 PM

Hi,



Just curious to the reasoning for switching to ADFS/LDS. Is it a corporate policy issue? more secure? Thanks.


Mark Laucus
Giga Guru
In response to sherard

‎04-22-2014 08:43 AM

In our case I think we were looking at the reduction of tools to manage.


minicj
Giga Contributor

‎05-06-2014 05:29 AM

Hi,



We currently use LDAPS to populate the user table and for authentication, and connect to multiple LDAP servers.



We would like to implement ADFS but only for use by a subset of users (based on country code of the user).   We also have CMS in use.



Is it possible to direct users to a different login screen depending on an attribute (eg country).   I'm envisaging the following setup:



- user A in country A logs in via LDAPS server 1


- user B in country B logs in via LDAPS server 2


- user C in country C logs in via ADFS


- user D in country D authenticates direct to SN



Ultimately we'd like to move all users to ADFS, but not in one go.   Is this feasible?



Also, would anyone be willing to share more information on their experiences of integrating with ADFS?



Many thanks in advance,



Katie


Mark Laucus
Giga Guru
In response to minicj

‎05-06-2014 09:05 AM

Katie,



Regarding your first question regarding login pages by country ,one option could be the URL that is provided for them to login is customized by country to open a specific login page.   I think the challenge is how would ServiceNow know the country that was authenticating unless there was an IP Address that could identify the area.



Regarding the ADFS and LDAPS at the same time, I think you can do it.   Each user record is linked to a specific LDAP server.   Create an additional LDAP server to your ADFS infrastructure and that might work for authentication.



Regarding ADFS,one of our issues is the use of SSO.   When we started to use ADFS the Chrome web browser was not supported SSO (A known security issue).   The other issue was that ADFS did not automatically create accounts on ServiceNow when the person logged in and they had to be created by a sync with the server.   We have been up for almost a year on ADFS and working well.



Mark