Fu
ServiceNow Employee
ServiceNow Employee
Multi-provider SSO
 
The ServiceNow Product Documents provide an overview on multi-provider SSO but it doesn't provide instructions on how to integrate with an identity provider. In this article, you'll learn how to setup SSO using Azure Active Directory on your ServiceNow instance step-by-step. 
 
 
Prerequisites
  • Have admin role on your ServiceNow instance
  • Have a Microsoft Azure account. If not, please go to https://azure.microsoft.com/ and create a free account.

 

Step 1 - ServiceNow Multi-Provider SSO setup
  1. On your ServiceNow instance, navigate to Plugins
  2. Search for Integration - Multiple Provider Single Sign-On Enhanced UI and activate. 


    find_real_file.png


  3. Navigate to Multi-Provider SSO->Administration->Properties and toggle Enable multiple provider SSO to Yes 


    find_real_file.png


Step 2 - Configure Azure Active Directory
  1. From Azure services, click on Azure Active Directory
  2. On the side menu, click on Enterprise applications then click on New application
  3. Search and add ServiceNow
  4. Once created, go into your ServiceNow app and select Set up single sign on 


    find_real_file.png


  5. Select SAML
  6. On Basic SAML Configuration, perform the following: 
  7. On User Attributes & Claims, the Unique User identifier has a default value of user.userprincipalname. Change the value to user.mail


    find_real_file.png


  8. On Set up ServiceNow (step 4), click on View step-by-step instruction, provide admin credentials, and click Configure Now. Azure will create a new identity provider on your instance called Microsoft Azure Federated Single Sign-on for Default Directory.
  9. Create a new user on Azure and map it to a user from your ServiceNow instance. On Azure Active Directory, click on Users then click on New user. Create a user name David Loo. After the user is created, edit the user and add david.loo@example.com under the Contact info email. 
    David Loo is a demo user in ServiceNow with email david.loo@example.com. After the user is authenticated with Azure credentials, it will use the email value to map to a ServiceNow user. This is the reason why we changed the Claim value to user.mail on Step 2.8.


    find_real_file.png


  10. After the user is created, go to Default Directory -> Enterprise application and select ServiceNow. On Users and groups, click Add user/group and add David Loo from user list. 


    find_real_file.png

 

Step 3 - Configure ServiceNow
  1. On your instance, search for SSO and select Microsoft Azure Federated Single Sign-on for Default Directory  


    find_real_file.png


  2. Scroll down to X.509 Certificates and click Edit
  3. Add Microsoft Azure Federated Single Sign-on for Default Directory and hit Save


    find_real_file.png


  4. Click on Set as Auto Redirect IdP


    find_real_file.png

 

Configuration is complete. Open your ServiceNow mobile app and point to your SSO instance. You should be prompted by a Microsoft login.

 

find_real_file.png

Comments
PaulSylo
Tera Sage
Tera Sage

one question. what if my AD is not accessible by external network?

Fu
ServiceNow Employee
ServiceNow Employee

Hi Paul,

You will need to use a VPN if AD is only accessible within an internal network.

Version history
Last update:
‎01-21-2021 02:27 PM
Updated by:
ServiceNow Employee