- Post History
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 06-30-2020 09:23 AM
Introduction
While MFA is now popular to secure user access, it isn’t for integrations. More than often the only security I see for integrations is a User + Password (or API Key / Client ID + Secret) combination. But we can go further to add safety nets without closing down the whole instance to a specific network.
The Use Case
A few weeks ago, I had to built a push-push integration — i.e. the ServiceNow® Instance talked to an API of a third-party tool as well as the third-party tool talked to the instance via a ServiceNow API.
While normal users where already forced to use MFA with an external Authentication by Microsoft Office365, there was the need that integration users were secured similarly. Further condition was that the instance needed to be accessible like before, so no IP address restriction for the whole instance was an option as you are able to configure with ServiceNow IP Access Control. Also the IP Access Control still lets through certain ServiceNow internal IP addresses.
Installation Exists only work for interactive logins which are already effectively prohibited by the Flag “Web service access only” on the corresponding user. So I needed to find a solution that works on any authentication attempt.
This can be compared to the HI instance: while the HI instance needs to be available to all customers, integrations (e.g. for customer instance automations) should only be possible from the ServiceNow internal network.
The Solution
I'm using an User Authentication Gate to check for IP addresses as well. Basically this can be extended to any further factor, as long as a proof for the factor is part of the transaction within which the authentication happens.
Configuring the solution
After applying the attached Update Set, there is a System Property called security.list.forced_ip_whitelist_users, which you can edit with the security_admin role.
This property contains a JSON object with the user IDs as the key and an array of strings as the key’s value. Each String contains exactly one IP address.
Read Further
https://blog.cbc-faruhn.com/securing-inbound-servicenow-integrations/
- 691 Views
