How to setup ServiceNow SSO with 2 different Azure AD tenants

Go to solution
JC S_
Mega Guru

‎07-28-2017 12:19 AM

We have successfully setup SSO for our users on one of our Azure AD tenants. However, we need to add another Azure AD tenant and allow their users to login as well on the same ServiceNow instance. We followed this tutorial: Tutorial: Azure Active Directory integration with ServiceNow | Microsoft Docs   however, we can't make 2 Azure AD tenants work. The users are already syncing however, when users of Tenant B is logging in, the login page of Azure AD prompts the user with the following error:

AADSTS50020: User account 'test@tenantb.com' from identity provider 'https://sts.windows.net/xxxxxxxxxxxxxx/' does not exist in tenant 'Tenant A' and cannot access the application 'https://instance.service-now.com/' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

Do anyone here have an experience on allowing 2 Azure AD tenants to login on same ServcieNow instance?

0 Helpfuls
  • 10,075 Views
1 ACCEPTED SOLUTION

Go to solution
JC S_
Mega Guru
In response to markbu

‎11-21-2017 10:49 PM

We implemented a simple workaround - but you need to check first that logging in with any of your Azure AD tenants works already.



Test Azure AD Tenant #1:


https://yourinstance.service-now.com/login_with_sso.do?glide_sso_id=<sys_id of the sso configuration for tenant #1>



Test Azure AD Tenant #2:


https://yourinstance.service-now.com/login_with_sso.do?glide_sso_id=<sys_id of the sso configuration for tenant #2>



Once you confirm that you can properly login with both Azure AD Tenants, follow below steps:


  1. Create a custom page (set this to Public) then on SP Page Designer, add 2 buttons, set each button to the direct links to SSO login page we used above.
  2. Now make that custom page as the login page for the Service Portal where you want this to be used
  3. Open a private window on your browser and try going to your service portal page (http://yourinstance.service-now.com/sp or depends if you changed the Service Portal URL suffix)
  4. You should see the custom login page you created with 2 buttons for each Azure AD tenant login page.


Now you just need to instruct your users to click the login button relevant to them. We named the buttons as "Login (BU_A users)" and "Login (BU_B users)" so it will be self-explanatory (with names of our BU of course).



This is so far the simplest solution we were able to come up with that will only need minimal effort and not complicate the login process for end users. In fact this can be used to more than 2 Azure AD Tenants - just add another button with link to the additional Azure AD tenant or other SSO you have.



IMPORTANT NOTES:


  • Deep linking seems not to properly work after we implemented this. User needs to be already logged in for the email links to properly redirect them.
  • This will not work on the ServiceNow mobile app because current versions of the mobile app always use the Identity Provider set as Primary in the system properties (glide.authenticate.sso.redirect.idp) - as a workaround, we set the Azure AD tenant with most users as the Primary then instruct those under the other tenant to just access our SeviceNow Service Portal on their mobile browser (the custom login page we created will work on mobile browsers)


Endorse, Like or mark this reply as Helpful below if it provided the answer or solution you were looking for.


View solution in original post

7 REPLIES 7

Go to solution
Simon46
ServiceNow Employee
ServiceNow Employee

‎07-28-2017 01:20 AM

Hello Jimboy,



Judging by your description I assume your instance is automatically redirecting users to the Azure Identity Provide for Tenant A. If this is the case, then unfortunately you will NOT be able to make use of the auto-redirect feature.


https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/integrate/single-sign-on/task/t...



You will first need to update the field "SSO Source" on the [sys_user] table with "sso:<sys_id_of_IdP_record>".


Configure users for multi-provider SSO



When users access the instance, they will need to click on "Use External Login". Users will then be presented with a text login prompting them to enter either their username or email (depending on what you have configured under "Multi-Provider SSO > Administration > Properties".



ServiceNow.jpg



The instance will use the value entered to find the user in the [sys_user] table (based on the field configured above). We then lookup the "SSO Source" value and find an Identity Provider record which matches it.


  • If an Identity Provider record is found, it will use that to authenticate the user
  • If the field "SSO Source" is empty or if the sys_id record is not found, it will use whichever Identity Provider record has the "Default" checkbox checked.



Alternatively you can provide a link to the ServiceNow instance with the sys_id of the Identity Provider record which you want users to use for authentication.


Multiple Provider Single Sign-On - ServiceNow Wiki




Please let me know if you have any other questions.



Kind regards,


Simon Liang


Preview file
114 KB

Go to solution
JC S_
Mega Guru
In response to Simon46

‎07-29-2017 10:12 AM

It will be not a good experience for end-users to use the "External Login" option since it will add more steps on what should be a simple login process.



I see that when you setup a Service Portal, you can select the login page. Do you think it will be possible to use this to direct users to specific SSO configuration? So the end result would be if user goes to portal A then he will be presented the SSO to Azure AD tenant A and if he goes to portal B then we can set another Azure AD tenant to use.



We can set a specific SSO when we append this on the base instance URL:


/login_with_sso.do?glide_sso_id=<sys_id of the sso configuration>



So if we can somehow configure this to a page and set is as login page of the portal, perhaps we can simplify the login process by just asking users to go the Service Portal URL.


0 Helpfuls

Go to solution
Simon46
ServiceNow Employee
ServiceNow Employee
In response to JC S_

‎07-29-2017 05:22 PM 

I see that when you setup a Service Portal, you can select the login page. Do you think it will be possible to use this to direct users to specific SSO configuration? So the end result would be if user goes to portal A then he will be presented the SSO to Azure AD tenant A and if he goes to portal B then we can set another Azure AD tenant to use.


We can set a specific SSO when we append this on the base instance URL:

/login_with_sso.do?glide_sso_id=<sys_id of the sso configuration>


So if we can somehow configure this to a page and set is as login page of the portal, perhaps we can simplify the login process by just asking users to go the Service Portal URL.

Hello Jimboy,



This is definitely possible as long as the public page $sp is not private (Active = false). If $sp is no longer public, the instance will NOT render the login page.


https://docs.servicenow.com/bundle/istanbul-servicenow-platform/page/build/service-portal/concept/c_...



What I have done in the past as a test was created a very simple widget with just the following in the Body HTML.



<meta http-equiv="refresh" content="0; URL='/login_with_sso.do?glide_sso_id=<syd_id_of_IdP_record>'" />

<div>

Redirecting users to authenticate...

</div>


Obviously that was just a test and may need to be refined before implementing it in production. Please also note that if you do this, deep linking will most likely not work.



As always, please do thorough testing before implementing this in your production instance.



Let me know how you go.



Kind regards,
Simon Liang


0 Helpfuls

Go to solution
markbu
Kilo Contributor
In response to JC S_

‎11-21-2017 12:41 AM

Hi,



Did you manage to get this working with dual tenants?   We have the same issue, works great for a single tenant but can't make the 2nd tenant work.



Thanks



Mark


0 Helpfuls