External Authentication

michaelcory · ‎02-17-2016

There is some discussion in our organization about using External Authentication to allow users outside of the Organization (Vendors, Outside agencies, etc.) to access ServiceNow and request access to various clinical applications via application access forms published in the Service Catalog, including having PHI protections ins place.

The organization currently has LDAP configured with ServiceNow.

What method would be used to allow external users to auto-authenticate to ServiceNow when the user is not in Active Directory and therefore not pulled from LDAP?

Thank you,

wcw · ‎02-17-2016

You'd probably want to start here: Multiple Provider Single Sign-On - ServiceNow Wiki

But you'll still need to determine what Identity Providers you trust; how you will manage the external identity lifecycle (provisioning, deprovisioning, support); how you will grant roles/handle authorization for these identities; etc. Enabling the authentication is likely going to be the easy part of all of this.

michaelcory · ‎02-17-2016

Thanks for the information Walter. I'm a real novice on the topic, so have a few more questions if you don't mind:

We have an existing SSO application (Imprivata). My understanding of how it works is that it captures the login screen of an application. When a user loads the screen, Imprivata loads the user's credentials to allow access to the app.

Since we already use an SSO application (Imprivata), could the external vendors or outside agency users just be added to our existing SSO application and authenticate to ServiceNow that way (assuming that we have already created a ServiceNow user account for them)?
If we add the external users to our existing SSO application, would there be any further ServiceNow configuration steps needed?
Is there an option to use ServiceNow SSO to manage the external vendors and outside agency users separately from our SSO application (Imprivata)?

wcw · ‎02-18-2016

Mike - I apologize but I'm going to answer your questions with 'yes, but..' to 1 and 3 and the answer to 2 is 'maybe not, but..'.

The difficulty is the "but.." part which I don't feel can be adequately answered with a forum post and without discussions with your Identity Management team and/or the SSO vendor.

From a ServiceNow admin role, I'd go back and look at how my users and groups are currently being sync'd / imported from LDAP. I'd see what roles I'm using and how I'd want to map external users to roles and groups and with that data, I'd go to my Identity Team and see what their recommendations are and what other applications in my org are doing. You may also want to verify that the SSO agent is just supplying a username/password vs using SAML assertions from a central web based Identity Provider (IdP). If the SSO isn't using SAML, you may also want to understand how the user's password is updated when that password gets changed.

michaelcory · ‎02-18-2016

Thanks Walter. I did speak with our SSO admin about the points that you outlined. Sounds like Imprivata would not be a good option. its looking like we may just end up creating accounts for the users in the ServiceNow sys_user table. We would just need to determine and apply the roles necessary based on user needs and figure out a way to manage changes to the external users. Thanks for you input. Appreciate it.