In this how to I will setup Single Sign-On (SSO) using Microsoft Azure AD without the use of a ServiceNow MID server. This article was done on the ServiceNow Jakarta release. If you are on a different release some of the screens may look different.
1. Azure setup
Before you continue make sure that you have the "Global Administrator" role as this is required.
1.1 Go to portal.azure.com and login with your credentials.
1.2 Click on Azure Active Directory in the menu to your left.
1.3 Click on "Enterprise applications" in the menu.
1.4 Click on "New application" at the top of the page.
1.5 Select "IT infrastructure" in the filter to the left.
1.6 Locate ServiceNow by searching for it and click the ServiceNow icon to create the Application.
1.7 Under "Quick start" click "Configure single sign-on (Required)"
1.8 Select "SAML-based Sign-on" and enter your instance URL in the "Sign on URL" and the "Identifier". Click on "Save".
1.9 In case the new certificate is in status "New" click the "Make new certificate active" checkbox and then click Save. If your certificate is already in status "Active" you can skip this step.
1.10 Scroll down a but and click the "Certificate (Base64)" link to download the certificate.
1.11 Scroll further down and click "Configure ServiceNow"
1.12 Check the checkbox "Manually configure single sign-on
1.13 Scroll down and locate the "Quick Reference". Copy the "Azure AD Single Sign-On Service URL", the "Azure AD Sign Out URL", and the "Azure AD SAML Entity ID". We will need this information later.
1.14 Go back to the "Quick start" and click on "Assign a user for testing (required)". Pick a user that you wish to test with and add it to the list. You can pick yourself if you like.
2. ServiceNow setup
To set things up in ServiceNow you need to have the role "admin".
2.1 Go to you serviceNow backend and login.
2.2 Click the "Plugins" link under "System Definition".
2.3 Find the "Integration - Multiple Provider Single Sign-On Installer and install it if it is not already installed.
2.4 Go to "Multi-Provider SSO -> Administration -> x509 Certificates"
2.5 Click the "New" icon at the top of the page.
2.6 Fill out the "Name" with something that makes sense to you. The field Format should be "PEM" and the Type "Trust Store Cert". In the "PEM certificate" paste the certificate that your downloaded from Azure earlier. You can do this by opening the file in a texteditor like notepad and copy the content out. Click "Submit" and the certificate is now stored in ServiceNow.
2.7 Click on "Multi-Provider SSO -> Identity Providers"
2.8 Click on the "New" button at the top.
2.9 Pick "SAML"
2.10 Click cancel on the dialogue box that appears.
2.11 Give your Identity Provider a name in the "Name" field. Make sure to check the "Default" check box. Fill out the fields with the following information:
Identity Provider URL: https://sts.windows.net/"unique id"/ - We copied this link in step 1.12
Identity Provider's AuthnRequest: https://login.microsoftonline.com/"unique id"/saml2 - We copied this link in step 1.12
Identity Provider's SingleLogoutRequest: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0
ServiceNow Homepage: your instance (eg. https://yourcompany.serivce-now.com)
Entity ID / Issuer: your instance (eg. https://yourcompany.serivce-now.com)
Audience URI: your instance (eg. https://yourcompany.serivce-now.com)
NameID Policy: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified
Click "Submit" to save the Identity Provider record.
2.12 Click the newly created record.
2.13 Right click at the top bar and click "Copy sys_id". Paste this ID somewhere as you may need it later.
2.14 Click the "Advanced tab" and enter the following values:
User Field: user_name
AuthnContextClassRef Method: http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password
Single Sign-On Script: MultiSSO_SAML2_Update1
Clock Skew: 60
Protocol Binding for the IDP's SingleLogoutRequest: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
2.15 Right click the grey bar at the top and select "Save".
2.16 Scroll to the bottom and located the related list "X.509 Certificates" and click the "Edit..." button.
2.17 In the slush bucket that appears select the certificate that you created in step 2.6 and move it to the right. Then click "Save".
2.18 Click the "Test Connection" button at the top of the page to test that everything is working. For the test connection you may want to ensure that you are in a private / incognito browser window.
2.19 Examine the test result and click "Activate". Notice that I was using myself as a test person and therefor the test skipped the logout test.
2.20 Go to "Multi-Provider SSO -> Administration -> Properties"
2.21 Mark the checkboxes "Enable multiple provider SSO" and "Enable Autoimporting of users from all intensity providers into the user table" to yes. The later is optional though as you can also create the users manually if you prefer. Click "save"
3. Automatic redirect
If your instance does not automatically redirect to SSO you may need to manually add or modify the "glide.authenticate.sso.redirect.idp" system property.
3.1 Enter "sys_properties.list" in the main menu to the left and hit "enter".
3.2 Search for "glide.authenticate.sso.redirect.idp". If it does not exists create a new one, by clicking the new icon. Otherwise open the record.
3.3 Paste in the sys_id of your Identity Provider record, that we copied earlier in step 2.13.
Remember to make the property "Private" to ensure that it is not copied between instances as the sys_id of the IdP record will be different from system to system.
4. Deploy SSO to all users (Azure)
Once you have confirmed that everything works as expected you need to Deploy single sign-on to all the users that needs to access ServiceNow
4.1 Go back to your Azure portal and the "Quick start" guide of the enterprise application that you created in step 1.6. Click the link "Deploy single sign-on to users and groups (recommended).
How you want to add users depends on how you are organizing your directory in Azure AD.
I hope that you find this how to useful. Let me know if you have any improvement suggestions or comments. Please endorse if this works for you or like if you want to see more like this.
Hi
ServiceNow Azure AD SSO works as expected with regular username and password on Windows logon.
But I can't get it to work with "Windows Hello for Business" (PIN/Biometric logon) on Windows 10 Ent. (1709)
I get the following error message:
Additional technical information:
Correlation ID: 990ac0f6-9e97-4a63-b178-1759c5e2df27
Timestamp: 2017-12-03 18:55:21Z
AADSTS75011: Authentication method 'X509, MultiFactor' by which the user authenticated with the service doesn't match requested authentication method 'Password, ProtectedTransport'
Same issue on Google Chrome, Edge, Firefox and Internet Explorer.
Microsoft support is saying that it must be a misconfiguration in the ServiceNow tenant.
Anyone seen this issue yet?
How can i configure the ADAL setup to support SSO with "X509, Multifactor" and regular username passwords.
Thanks!
kG56mQ8g6y86!
Hi Christian,
I believe that you need to change the field "AuthnContextClassRef Method" to: "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/x509" to let Azure know that you wish to authenticate this way.
I have not had the chance to verify that this works, but from what I can see this is the issue.
For a full list of authentication classes see this page:
If you wish to support both methods at the same time you may need to have them created as two identity providers or perhaps you can use a more generic authentication class like "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified". Try it out and please let me know if it works for you 🙂
I hope this helps!
/Lasse
Hello,
First I attempted to follow Microsoft's documentation in completing the configuration automatically vs. manually. However, after testing the connection I continued to receive the error: AADSTS50003: No signing key is configured
I then removed the IDP and Certificate that was auto-created from Azure and went with the manual setup you outlined in this article (thank you). Unfortunately, I still continue to receive the error: AADSTS50003: No signing key is configured
My first thought of 'signing key' is within the ServiceNow IDP Record '
Lastly, I confirmed that I have 'Azure Active Directory Premium Plan 1', so I'm not sure if the error I'm receiving is directly correlated to access.
I asked someone who is not 'assigned to a role' for the ServiceNow application. I believe this does not mean a ServiceNow role, but a role within Azure as I believe I'm currently the only one associated with ServiceNow Application in Azure. What I'm getting at is when this user tested the IDP connection (they are also an admin) they received the below error. Because it's different than mine, I'm thinking my account was initially authenticated, but then during a 'secondary authentication' I received the error I did.
Any thoughts?? Stumped currently
Your help is much appreciated!
-Marques
