I'm not (yet) familiar with ws-security, but that does not allow impersonation of another user (given I have admin creds)?

Adding a new auth script ... phew, I was hoping to keep the coding end to my side and use OOTB ways for the ServiceNow parts. If needed we can pursue that for sure.

This may take you deeper than you wish to go (ws-security is not really simple) but here is some documentation: Web Services Security - ServiceNow Wiki   You can specify which user you'd like to authenticate as once the certificate is validated.

Sorry, my brain starts hurting. You warned me that the rabbit hole is deep ...

From what I read up to now you need to provide a fixed username to impersonate for when you have authenticated with WS security!? So either I authenticate with MY credentials (x509 or basic auth) and then get impersonated as a fixed user or I authenticate with the certificate and then use the supplied username/password to re-authenticate (somehow this does not make sense as I need a password?)?

Or can I supply a certificate which then gets validated and also pass on a username token without password which then gets used to impersonate that user (if I'm allowed to do that)? Then what does this here mean:

The password value in the incoming Username Token is used to authenticate the request. 

Somehow this feels like a many-to-one mapping in regards to impersonation: Lots of users can use the API and be known to the system as a fixed user ("ITIL user" in the examples) rather than what I need: One credentials and then impersonate many users ...

Please can you set me straight here if I am right or show me a way on how I could get for example tickets of a certain user without forcing him to re-authenticate all times? OAuth2 comes to my mind for this ... but this is not (yet?) supported I think?

Bye, Nils