Automatic redirect to Okta for SSO

Go to solution
mmongeau
Giga Guru

‎08-10-2015 05:00 PM

I have integrated our development instance with Okta using the Okta plugin, as documented here:

        http://wiki.servicenow.com/index.php?title=OKTA_SSO_Integration

We have also enabled Integrated Windows Authentication in Okta, which means if a user is logged into our Windows domain they do not even have to enter their username and password.     Their Windows session token is used to determine their identity.

It works great for basic SSO.   I can click on the ServiceNow icon in the Okta desktop or use the application-specific SSO URL and be logged into ServiceNow automatically.   If I go directly to [our-instance].service-now.com I get the standard ServiceNow login page, which includes a link to "Click here" to login with Okta.   Clicking on that link also logs me into ServiceNow.

I would like to eliminate the extra step of having to click on the "Click here" link and have it automatically redirect to Okta for authentication.     We embed links to KB articles and surveys in email messages and we do not want users to have to click the Okta link on the login page, or worse, try and enter their username and password on the standard login page.

Is there any way to accomplish this?

Thanks,

    Michael Mongeau

    Stratus Technologies

0 Helpfuls
  • 7,832 Views
1 ACCEPTED SOLUTION

Go to solution
mmongeau
Giga Guru

‎08-21-2015 06:26 AM

The answer from ServiceNow Support is that automatic SSO with Okta cannot done when using the plugin.   You must configure the Okta integration manually using the SAML2 Single Sign-on module.   Okta provides very clear setup instructions.   After following the instructions Support also had me do these steps.



In Okta:  



On the General tab change the Login URL.



From:       https://[instance-name].service-now.com/login.do?sys_action=sysverb_login&user_name=guest


To:               https://[instance-name].service-now.com



In ServiceNow:



Search for Installation Exits in the navigator.   Update these records.



        OktaSingleSignOn -> set to inactive


        SAML2Logout_update1 -> set to active


        SAML2SingleSignon_update1 -> set to active



Disable the Okta plugin by navigating to 'SSO Provided by Okta, Inc' and unchecking 'Enable Okta external authentication'.



Michael


View solution in original post

0 Helpfuls
7 REPLIES 7

Go to solution
mmongeau
Giga Guru

‎08-21-2015 06:26 AM

The answer from ServiceNow Support is that automatic SSO with Okta cannot done when using the plugin.   You must configure the Okta integration manually using the SAML2 Single Sign-on module.   Okta provides very clear setup instructions.   After following the instructions Support also had me do these steps.



In Okta:  



On the General tab change the Login URL.



From:       https://[instance-name].service-now.com/login.do?sys_action=sysverb_login&user_name=guest


To:               https://[instance-name].service-now.com



In ServiceNow:



Search for Installation Exits in the navigator.   Update these records.



        OktaSingleSignOn -> set to inactive


        SAML2Logout_update1 -> set to active


        SAML2SingleSignon_update1 -> set to active



Disable the Okta plugin by navigating to 'SSO Provided by Okta, Inc' and unchecking 'Enable Okta external authentication'.



Michael


0 Helpfuls

Go to solution
JasonHamlin
Kilo Explorer

‎08-24-2015 04:49 PM

We were having the same issue after turning on the Okta plugin. What I did notice is that the new Okta "Click here" section retained any context from the URL's the user clicked to take them to ServiceNow and passed that on (for example still taking me to the Incident that I had originally wanted to get to from a link in an email). To get this to work in all scenarios I just took the URL in the Okta section and added it to one of the instructional Welcome Page Content HTML sections.



I first copied the URL from the Okta "Click here" section of the ServiceNow login page. Then I went to Welcome Page Content, selected an active piece of the welcome content (I chose How to Login) and then in the Text HTML section click to view Source. Then enter this piece of HTML after any instructional text you have:



<script>


  window.location = "URL FROM OKTA CLICK HERE LINK ON LOGIN PAGE";


</script>



Click Update to save the script with the instructional text. Once you are done and any user lands on the Login page, they will be automatically be authenticated with Okta and then taken redirected back to ServiceNow and taken to the original item they had selected (Approval, Incident, Request, Task, etc.). Working great so far for us.


0 Helpfuls

Go to solution
Erik Stolberg
Tera Guru

‎08-26-2015 03:18 PM

In Fuji (and maybe Eureka) all JavaScript tags are stripped from HTML fields upon save, so the above option would not work going forward as far as I know.



This solution worked: How to switch the external login page in ServiceNow


Make sure the property 'glide.authenticate.sso.redirect.idp' has the sys_id of the IdP you want to use as the value. Any requests into ServiceNow will auto-redirect to your IdP login page.