LDAP / SSO Confusion

rickburke · ‎04-08-2015

We just upgraded from ServiceNow Express to ServiceNow Enterprise. Currently we are using OKTA to populate our users in the ServiceNow Database. This also allows for signing in with their current AD Credentials. I see this as 2 pieces though. We need to get rid of OKTA because I need to get more attributes from AD and OKTA only supports very few. In looking through all of the documentation it appears LDAPS is the most secure way if I am able to get a range of Instance IP addresses in order to populate our firewall. (Current Ticket in HI for this). However my Network Admins are saying we only need to do SSO via SAML. My confusion lies in that, I agree this will log them in, but will this push all of the attibutes that I want into the ServiceNow Database or do I need 2 separate methods. (LDAP and SSO)? I see SSO as never having to officially login whereas with OKTA, they need to login once and then their Username and Password are cached (if you will). Maybe this changes with LDAP only, but I am not sure.

Message was edited by: Rick Burke

glennpinto · ‎05-18-2015

When you implemenent LDAP, you will be creating a transform map and in this mapping you will have to decide what field you want to reconcile on. As long as the field coming from LDAP reconciles with the field value that came in with Okta for the same field, then LDAP will augment the data that already exists otherwise it will or could create duplicates. You can create a very specific filter in your OU definition in your LDAP configuration to at first bring in a very select list of users vs. all the user on the first go around to see how the reconciliation is working.

View solution in original post

tdf · ‎04-08-2015

SAML could be adequate for the login, however your base requirement is stating that you need more data which to me really lends itself to a need for something more robust. Also it's common that you want to have a user record populated even though the user hasn't ever logged into Service Now and SAML doesn't address that in any way. The most common way to approach this is through the LDAP integration as you've suggested. However, there are other approaches that could be used if your team is not comfortable with LDAP. LDAP is going to be the easiest to implement (not saying it's easy, just the easiest) but you could also do a web services integration or even file/based. Again, not saying they're all good, but those are some of your options.

Personally, I'd stick to the LDAP integration, it's tried & true and should meet all of your requirements.

-tim

tony_barratt · ‎04-18-2015

Hi Rick,

Do you have any outstanding questions?

I see you have some advice from Tim, and by now I expect you have the instance source IP addresses supplied by ServiceNow.

Best Regards

Tony

rickburke · ‎04-20-2015

We did receive the source IP Addresses from HI and I have tested this connectivity in my Dev environment but because all of our users are already inside the database (through OKTA), Will the LDAP simply pick up where OKTA leaves off or am I going to have to flush the database of all user records before I implement LDAP? Is there a good way to test without wiping out the users?

glennpinto · ‎05-18-2015

When you implemenent LDAP, you will be creating a transform map and in this mapping you will have to decide what field you want to reconcile on. As long as the field coming from LDAP reconciles with the field value that came in with Okta for the same field, then LDAP will augment the data that already exists otherwise it will or could create duplicates. You can create a very specific filter in your OU definition in your LDAP configuration to at first bring in a very select list of users vs. all the user on the first go around to see how the reconciliation is working.