Change from LDAP SSO to Azure Active Directory single sign-on (SSO)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎06-17-2022 10:55 AM
Has anyone switched to using Azure Active Directory single sign-on (SSO) from a previous SSO integration? I would like to know if there are any potential issues that can come up. For example the Azure we are currently using for other systems is using the users email address for login. We would prefer to have Service Now still use the shorter regular user ID that our older LDAP SSO is using. Would Azure SSO just pass the auth through to Service Now if the user is already logged in to Azure in another app?
Also is there a specific document on migrating within SN knowledge? I found the Microsoft setup tutorial which looks straightforward but would like to see something from the SN side.
Thanks for any information on user experiences.
- Labels:
-
Platform and Cloud Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-10-2022 07:21 PM
I've set up about a dozen Azure SSO integrations. There are one or two gotchas, but overall it isn't too bad. I think you could use both LDAP and SSO SAML authentication methods simultaneously during your migration unless you set something up to block local logins from users who should be using SSO.
>For example the Azure we are currently using for other systems is using the users email address for login. We would prefer to have Service Now still use the shorter regular user ID that our older LDAP SSO is using.
I'm not entirely clear on what you're trying to accomplish here, but there are a couple approaches you could take. I think the answer to your question is yes. If the User ID is the same as what is in Azure AD, you can adjust which field Microsoft passes to ServiceNow and which field ServiceNow is using for authentication. I think ServiceNow defaults to the email field, but I like to switch to user_name when possible as user_name has uniqueness enforced.
>Would Azure SSO just pass the auth through to Service Now if the user is already logged in to Azure in another app?
Not exactly. It depends on how you're getting to ServiceNow. If your users are accustomed to going to the ServiceNow standard login page, they could use the "use external login" link to get to their SSO authentication prompt.
ServiceNow recommends using their own custom url, but Azure AD integration will also give you a URL that you can use (see step 6 here).
That Azure URL will direct the user to the Microsoft login page then redirect the user to ServiceNow. If they're already authenticated to Microsoft, they'll be passed directly to ServiceNow. You could set up a redirect to that Azure URL from a domain that you own.
The third option is to display the icon to users in the Microsoft portal so that the ServiceNow button can show up like any other app in the menu.
>Also is there a specific document on migrating within SN knowledge? I found the Microsoft setup tutorial which looks straightforward but would like to see something from the SN side.
Nothing that I've seen specific to Azure AD. For some odd reason, they chose Facebook as their example in their documentation. You can see the SSO documentation here.
