- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2019 01:51 AM
Hi Everybody,
I'd like to ask you if there is a solution for a problem that we have at a customer. When they use one of our products to create a ServiceNow incident using the Table API, they get an authorization error:
{"error":{"message":"User Not Authenticated","detail":"Required to provide Auth information"},"status":"failure"}
They have the same error when using a REST API test tool like Postman. They use a user which is normally authenticated to access Service Now with Azure AD SSO (SAML). This authentication mode is working for the portal access, but it is not made available from Service Now itself for the REST API, if I am correct. I asked them to create a local service now user (with basic password authentication) and same permissions, but their response was: "It was not agreed to reduce security level by deactivating SAML. This will not happen due to security concerns."
Do you maybe know any other solution, so our product can use basic authentication to create incidents through the Table API, but not needing to "reduce the security level" of the customer? Unfortunately we cannot use OAuth as our product runs on SAP where it is not supported in older releases.
Thanks and best regards,
Tamás
Solved! Go to Solution.
- Labels:
-
Best Practices
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2019 11:11 AM
Tama's Holics,
What basic authentication needs is userName and password related to the sys_user record.
The credentials that are used for Azure AD account for login in via SSO may be different from the Credentials on the sys_user record for that account.
The way SSO works is like below (Assuming you use SAML).
1. As Azure AD is your identity provider, User has to login with credentials related to Azure AD.
2. Azure AD will then evaluate the Credentials and will tell the ServiceNow that it has Authorized a user whose value in the user_field column in ServiceNow's Identity provider record say XYZ.
3. ServiceNow will then grant a session to the user who has a value of XYZ in the column mentioned in user_field field in ServiceNow's Identity provider record . at this stage ServiceNow doesn't care what the password is in the sys_user record, it will just grant the session as the Identity Provider has already authenticated the user.
Now in the above authorization flow, ServiceNow will not evaluate the userName and Password for the users sys_user record. So run the basic Authentication by using the username and Password related to ServiceNow's sys_user record for that user. I encourage you to change the password to test value and then perform the basic authentication. This way you will know for sure that the credentials you are trying to use match the credentials in the sys_user record.
Long story short: They may be testing the Basic Authentication using the credentials related to the identity provider (Azure AD), which may not be the same as the Credentials in the sys_user record.
Hope this helps,
A.R.G
Mark the answers correct/helpful if applicable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2019 02:03 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2019 02:20 AM
Yes, they use that user and its password, but still they get the error. It seems like the Azure AD authentication does not work when using the REST API.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-19-2019 11:11 AM
Tama's Holics,
What basic authentication needs is userName and password related to the sys_user record.
The credentials that are used for Azure AD account for login in via SSO may be different from the Credentials on the sys_user record for that account.
The way SSO works is like below (Assuming you use SAML).
1. As Azure AD is your identity provider, User has to login with credentials related to Azure AD.
2. Azure AD will then evaluate the Credentials and will tell the ServiceNow that it has Authorized a user whose value in the user_field column in ServiceNow's Identity provider record say XYZ.
3. ServiceNow will then grant a session to the user who has a value of XYZ in the column mentioned in user_field field in ServiceNow's Identity provider record . at this stage ServiceNow doesn't care what the password is in the sys_user record, it will just grant the session as the Identity Provider has already authenticated the user.
Now in the above authorization flow, ServiceNow will not evaluate the userName and Password for the users sys_user record. So run the basic Authentication by using the username and Password related to ServiceNow's sys_user record for that user. I encourage you to change the password to test value and then perform the basic authentication. This way you will know for sure that the credentials you are trying to use match the credentials in the sys_user record.
Long story short: They may be testing the Basic Authentication using the credentials related to the identity provider (Azure AD), which may not be the same as the Credentials in the sys_user record.
Hope this helps,
A.R.G
Mark the answers correct/helpful if applicable.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
06-21-2019 03:53 AM
Dear Aman,
Many thanks for your detailed explanation, it solved our issue! Have a great day.
All the best,
Tamás