Maik Skoddow
Tera Patron
Tera Patron
find_real_file.png
I recommend bookmarking this article so that you are automatically notified by email when changes are made by me.
If you miss any content, please leave it as a comment and I will add it to this article
 
Table of Contents

My library Knowledge Sources To Go is very popular, but it was intended mainly as a thematically grouped guide to standard sources and was provided by me as a PDF file. For certain topics, however, there is so much content that I can no longer include it in that document, as it cannot continue to grow forever.

For this reason, I have decided to handle such topics in individual community articles like this one instead.

 

 

Overview

 

ServiceNow identity and authentication validates the identity of a user who accesses an instance, and then authorizes the user to features that match the user's role or job function.

 

Product Documentation

Entry point to the official product documentation

 

Platform Access - Product Architecture Blueprint 

Describes the inherent functionality of the product and outlines the technical components in the form of a diagram.

 

 

Trainings & Courses

 

Zero Trust Access: Introduction 

By the end of this module, you will be able to:

  • Understand what Zero Trust Access is
  • Learn how to activate the Zero Trust Access plugins
  • Explore the Session Access Role Configuration module

 

 

Articles & Blogs

 

How to Investigate User Account Activity (KB0564981)

At any time there is a need to review specific user behavior, below are the recommended steps on how to review the transaction logs and event logs.

 

 

Videos & Podcasts

 

2020-12-01 by GlideFast Consulting

Introduction to Users, Groups, and Roles

In this ServiceNow Tutorial, Lorena Villanueva gives an introduction to users, groups, and roles in ServiceNow.

 

2021-11-22, Hardit Singh

Password Policies in ServiceNow

Password policies ensure security in your ServiceNow instance and can be easily configured in ServiceNow PDI as well.

 

 

 

Password Reset

 

This application takes the familiar consumer internet password reset experience and applies it to enterprise IT. The Service desk-assisted password reset feature is an alternative approach that provides a streamlined and automated process for the service desk to quickly and consistently fulfill password reset requests without having to access password management tools. ServiceNow Password Reset supports all credential stores, including ServiceNow, Microsoft Active Directory, and more. It also supports a variety of identity verification methods, such as security questions, SMS text, and CAPTCHA, which may be used across all credential stores for a consistent and simplified user experience. End users may enroll in password reset by configuring their identity verification methods, or they may be automatically enrolled through user data already existing in ServiceNow.

 

Product Documentation

Entry point to the official product documentation

 

 

Articles & Blog Posts

 

2019-04-08 by ServiceNow Support

Prevent users from re-using recently used passwords on the Password Reset screen 

The functionality exists to enforce the requirement that a user changing his or her password to be prohibited from using recently used passwords when resetting the password through the self-service password reset form.

 

 

Videos & Podcasts

 

2020-03-11 by ServiceNow Community

Password Reset Demo

 

2020-08-07 by snowexpertrohit

ServiceNow Password Reset Application

The ServiceNow Password Reset application enables an end user to use a self-service process to reset or change the password.

 

2020-10-15 by ServiceNow Community

Automate 30% of service requests with automated password reset 

The ServiceNow Password Reset application enables an end user to use a self-service process to reset or change the password. Alternatively, your organization can implement a process that requires a service desk agent to reset passwords for end users.

 

2022-09-06 by ServiceNow Community

How do I get started with ServiceNow Password Reset?

This video provides a straightforward 7 step approach to implementing password reset on the ServiceNow platform.

 

2023-09-06 by ServiceNow Community

Streamline Your Password Reset Service Desk

Password Reset is an out-of-box application that ServiceNow provides to its customers, to help them achieve use-cases like Active Directory password reset. As a part of this session, we will be explaining how to use the application, along with demoing:

1. Password Reset for Windows Applications
2. Password Reset for over IVR
3. Password Reset via Virtual Agent

 

 

 

Adaptive Authentication

 

Adaptive Authentication enables the use of contextual authentication controls, which will evaluate incoming authentication requests and approve or deny them based on specific policy conditions – IP address, user groups, roles, and so on. Enterprises can configure adaptive authentication properties according to their own security requirements and policies.

 

MaikSkoddow_0-1671160149102.png

 

 

Product Documentation

Entry point to the official product documentation

 

 

Trainings & Courses

 

Adaptive Authentication Overview 

This course provides an overview of Adaptive Authentication and Multi Factor Authentication.

 

 

Videos & Podcasts

 

2022-08-04 by ServiceNow Support

Getting started with Adaptive Authentication for Trusted Mobile Apps

In the video we show you how to activate and configure Adaptive Authentication for Trusted Mobile Apps, and how to register trusted devices for accessing the Now mobile app.

 

 

Articles & Blog Posts

 

2022-05-06 by @Sanchita Medar 

Adaptive Authentication use case for ACME Bank

 

2022-12-09 by @Randheer Singh

Migrating from IP address access control to Adaptive Authentication

 

2023-10-06 by @Randheer Singh

Enforce multi-factor authentication (MFA) based on the IP Network

In this blog, we will see how we can use adaptive authentication to dynamically enforce MFA for users accessing the instance outside the trusted network.

 

 

 

Zero Trust Access

 

ServiceNow Zero Trust - Policy Based Session Access (Session Access) enables organizations to dynamically reduce user privilege in a web session based on a variety of factors, including IP address, location, authentication method, user’s role, group, user having MFA and attributes shared by the Identity Provider (IDP). This can help protect organizations from unauthorized access and data breaches, even when high-privileged users access applications from untrusted devices or locations.

 

 

 

Product Information

Entry point to the official product information pages.

 

Product Documentation

Entry point to the official product documentation

 

Data Sheet

Summarized overview in one PDF file.

 

 

Articles & Blogposts

 

2023-09-16 by @Randheer Singh 

Introducing ServiceNow Zero Trust Access

 

 

Videos & Podcasts

 

2023-08-23 by ServiceNow Community

Introduction to ServiceNow Zero Trust Access​ 

 

 

 

Multi Factor Authentication

 

The basic level of authentication to an instance is local database authentication where a user enters a username and password combination. MFA gives administrators and users the ability to require a second level of authentication. This second authentication can be:

  • A passcode from an authentication app
  • A hardware key
  • A biometric authenticator, such as a fingerprint reader or facial recognition

 

Product Documentation

Entry point to the official product documentation

 

Multi-Factor Authentication (MFA) Enforcement FAQ

To enhance the security of all instance account, ServiceNow is enforcing MFA starting with the Yokohoma release. This knowledge article explains all you need to know regarding that topic.

 

 

Articles & Blog Posts

 

2021-03-12 by @Maik Skoddow 

Bypass Multi-factor Authentication (MFA) based on IP Addresses 

At the Community the question arises again and again whether the multi-factor authentication can be bypassed under certain circumstances. For example users would like to log in directly and without MFA when they're accessing the ServiceNow instance from a secure (company) network. In fact, it is possible to implement such exceptions using the Adaptive Authentication feature of ServiceNow and this article describes what configurations are necessary to realize that scenario.

 

2023-01-12 by @Randheer Singh

MFA with SSO -Dynamically enforce MFA on the ServiceNow side based on the Identity provider response

In this article, we will discuss how MFA can be dynamically enforced on the ServiceNow side if not enforced on the IdP side based on the attributes shared by the IdP as part of the SAML response/OIDC token.

 

2023-02-16 by @Randheer Singh

Multi-factor authentication with SMS OTP

In this blog, we will explore how SMS OTP-based multi-factor authentication can be enabled on ServiceNow Platform authentication and provide best practices for implementing this authentication method in your organization.

 

 

Videos & Podcasts

 

2021-11-09 by Hardit Singh

How to activate Multi Factor Authentication (MFA) on ServiceNow 

In this short video, we will see how can we setup Multi Factor Authentication (MFA) on our PDI. We will need to activate a system property and download an app on our mobile phone

 

2023-01-25 by Secretary of Simplification

Biometric Authentication

Did you know you can quickly and easily allow your users to authenticate using biometric data, such as their fingerprints and faces, using their devices' built-in sensors and cameras? This video shows you how. Now there is no more reason not to use multi-factor authentication.

 

2023-06-07 by ServiceNow Support

Administrator-assisted multi-factor authentication reset

Demonstrates how a ServiceNow system administrator can reset a user's multi-factor authentication validation.

 

 

 

LDAP(S)

 

An LDAP integration allows the system to use your existing LDAP server as the primary source of user data. Typically, an LDAP integration is also part of a single sign-on implementation.

 

Product Documentation

Entry point to the official product documentation

 

 

Articles & Blog Posts

 

2018-04-11 by DxSherpa

LDAP Integration with ServiceNow 

Administrators integrate ServiceNow with LDAP directory to streamline the user login process and to automate administrative tasks such as creating users. LDAP integration allows ServiceNow to use your existing LDAP server as the master source of user data.

 

2020-05-06 by LearnNowLab

LDAP Integration

An LDAP integration allows your instance to use your existing LDAP server as the master source of user data.,

 

2020-05-19 by ServiceNow Support

Connecting Active Directory via LDAPS through MID Server (KB0825425)

This knowledge article explains how to connect Active Directory via LDAPS through MID Server.

 

 

Videos & Podcasts

 

2019-11-06, by Basico ServiceNow Learning

LDAP Integration in ServiceNow

ServiceNow continues to support existing Connect Support customers on the Now Platform for current and upcoming releases but further feature development is not planned for the future. We strongly encourage customers to make the move from Connect Support to Advanced Work Assignment (AWA) and Workspace Agent Chat as we’re focused on continuing to invest in innovation within Advanced Work Assignment and Workspace Agent Chat.

 

 

Troubleshooting

 

Troubleshooting LDAP issues in ServiceNow (KB0539111)

LDAP connection error (KB0547476)

LDAPS with MID server failed with Error "PKIX path building failed: java.security.cert.CertPathBuild... (KB0825530)

 

 

 

OAuth

 

OAuth 2.0 lets users access instance resources through external clients by obtaining a token rather than by entering login credentials with each resource request.

 

Product Documentation

Entry point to the official product documentation

 

 

Articles & Blog Posts

 

2019-12-03, by Isuru Jayakantha

Everything You Need To Know About OAuth 2 Integration

You will find everything you need for OAuth Integration in this article.

 

2020-04-25, by Ankus Bawiskar

OAuth 2.0 with Inbound REST

 

2020-09-11, by Pushpendra Singh

ServiceNow Login with Google

Login using Google account is very common on most of the web applications/platforms/tools. This article will provide a step by guide on how to achieve the same in ServiceNow.

 

2024-02-05 by @Astrid Sapphire 

Up Your OAuth2.0 Game in Washington DC With Inbound Client Credentials

This article and the following articles in the Up your OAuth2.0 series, will guide you through setting up different types of OAuth Clients and Providers, including extended concepts around OIDC and more! After the guide, I’ll also talk through brief cases of where you might use each variant. This first article focusses on Inbound API Authentication to your ServiceNow instance, using the Client Credentials grant which was implemented in the Washington DC release.

 

 

Videos & Podcasts

 

2020-06-10, by ServiceNow Now Community

Discover OAuth 2.0 with Inbound REST with Ankur Bawiskar

Join us for the session on OAuth 2.0 with Inbound REST, where Ankur demonstrates external clients accessing instance resources/APIs by obtaining OAuth Token, Inbound REST setup.

 

2021-07-17 by Techno Monk

ServiceNow OAuth 2.0 inbound integration

In this video we will be looking into ServiceNow OAuth 2.0 inbound integration:

1. What is difference between Basic and OAuth
2. What is OAUTH integration
3. How we can use OAUTH integration
4. What is Access and Refresh token
5. Demo

 

2022-05-24 by Horea Porutiu

ServiceNow OAuth 2.0 Endpoint Integration w/ Postman in 4 MIN

In this video, I create an OAuth API endpoint for external clients to be able to call and access my ServiceNow instance securely via OAuth 2.0. I use my clientID, clientsecret, username, and password to be able to grab my access token.

 

 

Troubleshooting

 

OAuth Token of type 'Client Credentials' generates 'User Not Authenticated' in Inbound web service c... (KB0745184)

 

 

 

Single Sign On (SSO)

 

External SSO allows organizations to use several SSO identity providers (IdPs) to manage authentication as well as retain local database (basic) authentication. The integration supports any combination of local and external authentication methods on a single instance:

SAML 2.0
The Security Assertion Markup Language (SAML) is an XML-based standard for exchanging authentication and authorization data between security domains. The SAML 2.0 integration enables SSO by exchanging XML tokens with an external Identity Provider (IdP). The IdP authenticates the user and passes a NameID token to the system. If the system finds a user with a matching NameID token (for example, the email address), the instance logs that user in.

Digest Authentication
The digest token authentication passes user credentials and a digest token within an unencrypted HTTP header. The instance reads the HTTP header value and compares its computed hash value of the digest token. If the computed hash value matches the digest token value, then the instance searches for a matching value in the User table. If there is a matching value in the User table, the instance considers the user pre-authenticated and logs the user in.

OpenID Connect
OpenID Connect (OIDC) is an identity layer built on top of the OAuth protocol, which provides a modern and intuitive Single Sign-on (SSO) experience to you and your end users. OIDC also improves the log in experience for mobile applications by enabling users to log in to ServiceNow applications using their social identity provider. For example, administrators can configure Single Sign-on with a third-party identity provider that supports OpenID Connect. Users then have the option to log in to your custom ServiceNow application using their identity provider credentials.

 

 

Product Documentation

Entry point to the official product documentation

 

 

Articles & Blog Posts

 

by ServiceNow Support

Checklist before cloning an Instance with Digest, SSO, SAML or Multi SSO Integration  (KB0657100)

Cloning could cause your target instance to be inaccessible if it is done incorrectly and the source or target instance has SAML setup. We do not recommend to copy the SAML configuration from one system into another.

 

by ServiceNow Support

Setup of Signing Keystore for Encryption and Signing  (KB0753604)

Describe how to set up a Signing Keystore for Encryption and Signing for a SAML SSO Identity Provider.

 

by ServiceNow Support

Setting up Okta Single Sign On on ServiceNow instances  (KB0777770)

This article explains how to set up for SSO with Okta on ServiceNow instance.

 

by ServiceNow Support

Multiple Provider Single Sign-On Enhanced UI (KB0817397 🔒)

The 'Integration - Multiple Provider Single Sign-On Enhanced UI' plugin provides a richer user interface to configure your SSO solution on your instance. The plugin allows enterprise users to configure SSO redirections entirely from the User Interface.

 

by ServiceNow Support

Setup Multi-SSO with SAML using SSOCircle  (KB1124279)

In these instructions we will setup a SAML 2.0 Identity Provider.

 

2019-06-19 by @ARG645 

Nuts & Bolts of SAML in ServiceNow : The Bigger Picture

This Series of Articles Nuts & Bolts of SAML in ServiceNow describes the core components of SAML and how they facilitate the SAML Authentication for SingleSignOn in Servicenow.

 

2022-11-22 by @Logan Poynter

Azure AD & ServiceNow

Whether you’re an existing organization, or are just evaluating ServiceNow as a platform, in this tutorial I’m going to walk through how you as a ServiceNow Administrator can configure Azure AD to control what users and groups are populated in your ServiceNow environment, and establish Single Sign-On services to the ServiceNow application as well.

 

2022-11-22, by Microsoft

Tutorial: Azure Active Directory single sign-on (SSO) integration with ServiceNow 

In this tutorial, you'll learn how to integrate ServiceNow with Azure Active Directory (Azure AD).

 

2023-02-21 by David McDonald

Guide to a ServiceNow login page for multiple SSO providers 

ServiceNow integrates pretty well with single sign-on providers like Azure, Okta, and ADFS, but things get difficult when you need to support multiple SSO's. Here's how to do a login page that allows users to choose which SSO provider they want to login through.

 

 

Videos & Podcasts

 

2021-07-28, by snowexpertrohit

Multi SSO Configuration step by step

SAML-based SSO configuration using a free IdP as an example.

 

2020-06-04 by ServiceNow Talks

Single Sign On with ADFS

 


Troubleshooting

 

Troubleshooting SAML or SSO  (KB0539112 🔒)

SAML/SSO generates an infinite loop during login when you define glide.security.url.whitelist withou... (KB0621688)

If Multi-SSO is installed, check whether SAML installation exits are inactive (KB0623385)

Multi-SSO Certificate Grouping (idp_certificate table) solves IdP Certificate Mismatch errors when I...  (KB0676337)

Cannot Generate Metadata when Sign AuthnRequest or Sign LogoutRequest is checked  (KB0689646)

How to safely self-update your IDP certificate when Multi SSO and avoid "IDP Certificate Mismatch" f... (KB0679991)

SAML Errors and Fixes (KB0759250)

SHA-256 support for Single Sign On (KB0778491)

Slow memory leak due to large number of SAML metadata import threads causing intermittent / poor per... (KB0789247 🔒)

Multi-provider SSO V2 with Edge Encryption Proxy (KB0831608)

Users taken to logout using Multi Provider sso. Test connection is successful and Identity Provider ... (KB0827063)

Multi-provider SSO - Maximum number if IDPs supported (KB1005849)

In Multi SSO enabled instances - Session timed out message is never displayed on platform (KB1113341)

 

 

 

Certificate-based (Mutual) authentication

 

Certificate-based authentication lets you mutually authenticate user logins or inbound API requests using certificates from a trusted Certificate Authority (CA).

 

 

Product Documentation

Entry point to the official product documentation

 

 

Articles & Blog Posts

 

2021-08-19, by ServiceNow Support

How to configure inbound Certificate Based Authentication (mutual authentication) in ServiceNow 

This article is meant only for inbound mutual authentication, known officially as Certificate-Based Authentication (CBA).

 

Comments
Randheer Singh
ServiceNow Employee
ServiceNow Employee

Hi @Maik Skoddow 

Thanks for sharing this.
I am PM in the ServiceNow platform security team and am responsible for Authentication products.
Please don't hesitate to contact me if you have feedback or any idea to share about Authentication or any other platform security products. I will be more than happy to have a session with you.

 

Thanks,

Randheer

Maik Skoddow
Tera Patron
Tera Patron

Hi @Randheer Singh 

thanks for the offer. I'll keep it in my mind.

Kevin Burck
ServiceNow Employee
ServiceNow Employee

Great post! 

Michael O J
Tera Expert

Hi @Maik Skoddow ,

 

great overview of security related customizations. This has been added to my ServiceNow bookmarks.

 

I have a question regarding Mobile apps, Intune and Single Sign On (SSO). We are going to launch the Mobile Agent internally in our company using InTune and our company app store  (iOS and Android). We would of course like the users to automatically log on to ServiceNow.

 

I've been told that the apps that logon automatically uses a PRT (Azure Primary Refresh Token), so that the users don't have to enter any credentials at all.

 

Do you know whether this is possible with the ServiceNow Mobile Apps?

Maybe @Randheer Singh can pitch in.

 

Thank you again for this great resource.

Version history
Last update:
‎03-07-2025 09:29 PM
Updated by: