- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-10-2015 05:00 PM
I have integrated our development instance with Okta using the Okta plugin, as documented here:
http://wiki.servicenow.com/index.php?title=OKTA_SSO_Integration
We have also enabled Integrated Windows Authentication in Okta, which means if a user is logged into our Windows domain they do not even have to enter their username and password. Their Windows session token is used to determine their identity.
It works great for basic SSO. I can click on the ServiceNow icon in the Okta desktop or use the application-specific SSO URL and be logged into ServiceNow automatically. If I go directly to [our-instance].service-now.com I get the standard ServiceNow login page, which includes a link to "Click here" to login with Okta. Clicking on that link also logs me into ServiceNow.
I would like to eliminate the extra step of having to click on the "Click here" link and have it automatically redirect to Okta for authentication. We embed links to KB articles and surveys in email messages and we do not want users to have to click the Okta link on the login page, or worse, try and enter their username and password on the standard login page.
Is there any way to accomplish this?
Thanks,
Michael Mongeau
Stratus Technologies
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-21-2015 06:26 AM
The answer from ServiceNow Support is that automatic SSO with Okta cannot done when using the plugin. You must configure the Okta integration manually using the SAML2 Single Sign-on module. Okta provides very clear setup instructions. After following the instructions Support also had me do these steps.
In Okta:
On the General tab change the Login URL.
From: https://[instance-name].service-now.com/login.do?sys_action=sysverb_login&user_name=guest
To: https://[instance-name].service-now.com
In ServiceNow:
Search for Installation Exits in the navigator. Update these records.
OktaSingleSignOn -> set to inactive
SAML2Logout_update1 -> set to active
SAML2SingleSignon_update1 -> set to active
Disable the Okta plugin by navigating to 'SSO Provided by Okta, Inc' and unchecking 'Enable Okta external authentication'.
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2015 03:18 AM
Hi Michael
Did you try to set the system property glide.authentication.external.disable_local_login to true?
- glide.authentication.external.disable_local_login - When set to true requires SSO credentials even for the main ServiceNow login page. Defaults to false. This property needs to be used in conjunction with the 'glide.authenticate.failed_requirement_redirect' property.
Taken from External Authentication (Single Sign-On - SSO) - ServiceNow Wiki
Be aware that after setting the property to true the only way of bypassing SSO is to login using the side_door.do page.
Thanks
Daniel
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2015 06:39 AM
I set that property to 'true' and also set glide.authenticate.failed_requirement_redirect to the Okta application URL and it has no effect. I believe those properties only work if glide.authenticate.external = true, which is set when doing your own external SSO, such as digest token authentication. The Okta plugin uses a different set of properties that all begin with com.snc.sso.okta.
Michael
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2015 08:24 AM
From your response I assume you use the OKTA plugin? I integrated SSO through OKTA without using the plugin.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-11-2015 08:27 AM
Yes, I used the OKTA plugin.
Michael
