ADFS vs Direct LDAPS

rpiekarski
Mega Contributor

We are currently configured to use direct LDAPS integration with Service-Now linked to our active directory. We are looking at moving to AD LDS/ADFS model.

 

What do we give up by moving this direction?

 

Aside from a more comfortable security model, what do we gain?

 

We have researched both but are unable to find a direct comparison of capabilities.

12 REPLIES 12

All,


This has been a painful learning curve for us so I will share.


  • Service-Now is capable of leveraging multiple LDAP sources. We use this for the creation of the user record. To Mark's   point about ADFS not creating the accounts - this can be addressed using the LDAP source and specifying the username as the unique identifier in the ADFS token.
  • With direct LDAP integration/authentication Service-Now can authenticate against multiple sources as long as they have unique user IDs. domain1\user1 and domain2\user1 are not considered unique IDs because Service-Now looks at the user name not the UPN or logon name.
  • The current version (Calgary and Dublin) of Service-Now does not support multiple STS (Security Token Services - also referred to as SAML or ADFS).
  • Eureka will support multiple STS - Multiple Provider Single Sign-On - ServiceNow Wiki


We are in the process of solving this by engaging a third-party to provide the single token. We were reviewing SecureAuth for two factor authentication and found it was a good fit for this as well.


Robert


Davina
Giga Contributor

Hi Katie,



I would like to highlight some issues with the CMS/ADFS part.



I have recently implemented a CMS with ADFS as an SSO product and ran into several issues around login rules and redirection to the homepage.



I found this article extremely helpful http://www.john-james-andersen.com/blog/service-now/add-role-based-home-pages-with-saml-2-0-in-servi...



However, users without a role were no longer redirected to the CMS and instead taken to the standard view of the CMS. As a workaround we gave all non process users the 'public' role and this has worked for now, however i am seeking a better solution on this.



Hope this helps!


ankitsaharavat
Kilo Contributor

Hi Robert,



Integration between ServiceNow and LDAP is possible using Informatica Cloud. For more info on ServiceNow Connector, please visit- http://www.servicenowconnector.com


For any further query, please reach at info(at)mansasys(dot)com



Thanks,


Ankit