- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-11-2020 12:15 AM
Hello Guys,
We got a requirement to setup sso with ADFS, i want to first test the sso connection in personal instance before we setup for project instance, i tried to get the free account for adfs but i couldnt find any free account to register for ADFS( i am new to snow please bear with me) can anyone guide me from the beginning 1)what are the prerequisites for sso with ADFS
2) if anyone implemented it please provide your feedback on what challenges you faced.
3) any reference material for the same
Many thanks in advance!!!
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-11-2020 06:09 AM
Yes, you need to sit with your AD team to do most of the steps.
Step 1.2, 1.7 and 1.8 has to be done in ServiceNow
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎11-19-2020 09:14 AM
Hello
Can you help me on this part this is very urjent for me.( below is my comment )
This requirement was onhold by the client and now this implementation is started,
We do not have any integration inplace for the user creation in snow and till now we were creating the users manually in snow but we do not have any LDAP setup in our infrastructure LDAP integration to bring users from the active directory( The client said that they do not have LDAP server setup)
So we have asked our client whether we need to set Auto user provisioning so the users that are in ADFS and want to access snow the automatic user record will be created for the user in snow.
But they are telling that they have large number of users registered in ADFS who are not part of snow also and automatic user provisioning would end up creating multiple accounts in snow
can you please guide me, is this going to impact and auto provisioning is the right choice? and i really need your guidance please help me on this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-11-2020 05:35 AM
Hi Tejaswini,
Please find the attached file for the SSO setup guidance.
Mark the answer Correct & Helpful if it resolved your issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-11-2020 05:41 AM
1. ADFS integration with SAML 2.0
SAML 2.0 single sign-on (SSO) supports integration with Microsoft Active Directory Federation Services (ADFS) 3.0
1.1 Set up ADFS for SAML
After you set up ADFS 2.0 or 3.0, set up the instance and SAML 2.0 settings to work with ADFS
2. Browse to ADFS>Services>Certificates, and export the Token-Signing certificate.
a. Right-click the certificate and select View Certificate.
b. Select the Details tab.
c. Click Copy to File. The Certificate Export Wizard opens.
d. Select Next.
e. Ensure the No, do not export the private key option is selected, and then click Next.
f. Select DER encoded binary X.509 (.cer), and then click Next.
g. Select where you want to save the file and give it a name. Click Next.
h. Select Finish. The instance requires that this certificate be in PEM format. You can convert this certificate using client tools or even online tools such as: SSL Shopper.
3. Use the DER/Binary certificate that you just created, and export it in Standard PEM format.
1.2 Set up the instance for ADFS
1. If not already active, contact Technical Support to activate the SAML 2.0 Single Sign-On plugin.
2. Configure SAML 2.0, but when you install the IdP certificate, attach the PEM certificate you created when you Set up ADFS for SAML.
3. Click Save.
4. Verify that the Issue and Subject fields have values and that there are no errors. If an error occurs, open the saved PEM formatted certificate in Notepad and copy and paste the certificate into the PEM Certificate field.
5. Verify that the SAML2SingleSignon_update1 installation exit is active.
6. Continue the SAML 2.0 configuration.
Note: When a certificate is updated on the ADFS server, you also need to upload an updated certificate to the instance.
Procedure
configuration of the relying party appears to be easier to implement.
Procedure
1. Navigate to SAML 2 Single Sign-on > Properties and verify that the SAML property Sign AuthnRequest (glide.authenticate.sso.saml2.require_signed_authnrequest) is not active. Only keep this property active if your ADFS administrator can verify that you require signed requests.
2. Copy the metadata that you generated through the SAML 2 metadata link and save it to a file.
3. Log into the ADFS server and open the management console.
4. Select Relying Party Trusts.
5. Select Add Relying Party Trust from the top right corner of the window. The add wizard appears.
6. Click Start to begin.
7. Use the Import File option to import the metadata file.
8. Give it a display name such as ServiceNow and enter any notes you want.
9. Select ADFS 3.0 Profile.
10. Do not select a token encryption certificate. It will use the certificate that is defined on the service that has already been exported. Defining a certificate here will prevent proper communication with the instance.
11. Do not enable any settings on the Configure URL.
12. Enter the instance site to which you connected as the Relying Party trust identifier. In this case use https://company.service-now.com and click Add.
13. Permit all users to access this relying party.
14. Click Next and clear the Open the Claims when this finishes check box.
15. Close this page. The new relying party trust appears in the window.
16. Right-click on the relying party trust and select Properties.
17. Browse to the Advanced tab and set the Secure hash algorithm to SHA-1.
18. Browse to the Endpoints tab and add a SAML Assertion Consumer with a Post binding and a URL of https://company.service-now.com/navpage.do.
1.3 Configure an ADFS relying party
At this point you can take the instance metadata and import it into your ADFS server. However, manual
Procedure
1. Log into the ADFS server and open the management console.
2. Right-click the relying party trust and select Edit Claim Rules.
3. Click the Issuance Transform Rules tab.
4. Select Add Rules.
5. Select Send LDAP Attribute as Claims as the claim rule template to use.
6. Give the claim a name such as Get LDAP Attributes.
7. Set the Attribute store to Active Directory, the LDAP Attribute to E-Mail-Addresses, and the Outgoing Claim Type to E-mail Address.
8. Select Finish.
9. Select Add Rules.
10. Select Transform an Incoming Claim as the claim rule template to use.
1.4 Configure ADFS relying party claim rules
Note: These values must match the Name ID policy you define during SAML 2.0 configuration.
12. Set the Incoming claim type to the Outgoing Claim Type in the previous rule. For example, E-Mail Address.
13. Set the Outgoing claim type to Name ID and the Outgoing name ID format to Email.
14. Select Pass through all claim values.
15. Click Finish.
11. Give the Claim a name such as Email to Name ID.
Page 9 of 24
Create a SAML logout endpoint to allow single logout.
Procedure
1. Go to ADFS manager > Trust Relationships > Relying Party Trusts > properties.
2. Under the Endpoints tab, click Add.
3. Configure the settings:
o Endpoint Type: SAML Logout
o Binding: POST
o URL: https://myadfsserver.domain.net/adfs/ls/?wa=wsignout1.0
1.5 Create a SAML logout endpoint
Test your ADFS configuration to verify that it is properly functioning as an identity provider.
Procedure
1. Open an Internet Explorer browser.
2. Navigate to your ADFS portal. For example,https://samportal.example.com/adfs/ls/idpinitiatedsignon.aspx. This page contains a drop down list of all configured Relaying Party Trusts.
3. Select the relaying party associated with your instance.
4. Click Continue to Sign In.
If you have configured the SAML 2.0 external authentication properly, you should be automatically logged into the instance.
1.6 Test the ADFS configuration
To test a direct login URL, navigate to https://samportal.example.com/adfs/ls/idpinitiatedsignon.aspx?logintoRP=https://compa ny.service-now.com.
1.7 ServiceNow ADFS configuration
Below are the steps for ServiceNow setup.
1.7.1 To set things up in ServiceNow you need to have the role "admin".
1.7.2 Go to you ServiceNow backend and login.
Page 11 of 24
1.7.3 Click the "Plugins" link under "System Definition".
1.7.4 Find the "Integration - Multiple Provider Single Sign-On Installer and install it if it is not already installed.
1.7.5 Go to "Multi-Provider SSO -> Administration -> x509 Certificates"
Page 12 of 24
1.7.6 Click the "New" icon at the top of the page.
1.7.7 Fill out the "Name" with something that makes sense to you. The field Format should be "PEM" and the Type "Trust Store Cert". In the "PEM certificate" paste the certificate that your downloaded from ADFS earlier. You can do this by opening the file in a text editor like notepad and copy the content out. Click "Submit" and the certificate is now stored in ServiceNow.
Page 13 of 24
1.7.8 Click on "Multi-Provider SSO -> Identity Providers"
1.7.9 Click on the "New" button at the top.
1.7.10 Pick "SAML".
Page 14 of 24
1.7.11 Click cancel on the dialogue box that appears.
Page 15 of 24
1.7.12 Give your Identity Provider a name in the "Name" field. Make sure to check the "Default" check box. Fill out the fields with the following information:
Identity Provider URL: https://sts.windows.net/"unique id"/
Identity Provider's AuthnRequest: https://login.microsoftonline.com/"unique id"/saml2.
Identity Provider's
SingleLogoutRequest: https://login.microsoftonline.com/common/wsfederation?wa=wsigno ut1.0
ServiceNow Homepage: your instance (eg. https://yourcompany.serivce-now.com)
Entity ID / Issuer: your instance
(eg. https://yourcompany.serivce-now.com)
Audience URI: your instance (eg. https://yourcompany.serivce-now.com)
NameID Policy: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified Click "Submit" to save the Identity Provider record.
1.7.13 Click the newly created record.
1.7.14 Right click at the top bar and click "Copy sys_id". Paste this ID somewhere as you may need it later.
1.7.15 Click the "Advanced tab" and enter the following values: User Field: user_name
Page 17 of 24
AuthnContextClassRef
Method: http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/passw ord
Single Sign-On Script: MultiSSO_SAML2_Update1 Clock Skew: 60
Protocol Binding for the IDP's SingleLogoutRequest: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
1.7.16 Right click the grey bar at the top and select "Save".
1.7.17 Scroll to the bottom and located the related list "X.509 Certificates" and click the "Edit..." button.
1.7.18 In the slush bucket that appears select the certificate that you created in step 2.6 and move it to the right. Then click "Save".
Page 18 of 24
1.7.19 Click the "Test Connection" button at the top of the page to test
that everything is working. For the test connection you may want to ensure that you are in a private / incognito browser window.
1.7.20 Examine the test result and click "Activate". Notice that I was using myself as a test person and therefor the test skipped the logout test.
1.7.21 Go to "Multi-Provider SSO -> Administration -> Properties"
Page 19 of 24
1.7.22 Mark the checkboxes "Enable multiple provider SSO" and "Enable Autoimporting of users from all intensity providers into the user table" to yes. The later is optional though as you can also create the users manually if you prefer. Click "save"
1.8 ADFS Automatic redirect
If your instance does not automatically redirect to SSO you may need to manually add or modify the "glide.authenticate.sso.redirect.idp" system property.
1) Enter "sys_properties.list" in the main menu to the left and hit "enter".
2) Search for "glide.authenticate.sso.redirect.idp". If it does not exists create a new one, by clicking the new icon. Otherwise open the record.
3) Paste in the sys_id of your Identity Provider record, that we copied earlier.
Remember to make the property "Private" to ensure that it is not copied between instances as the sys_id of the IdP record will be different from system to system.
Mark the answer Correct & Helpful if it resolved your query/issue.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-11-2020 05:54 AM
Thank you so much for your response, all the steps you suggested to setup the ADFS do i need to work with the A/D team to set up from their end or i need to do these configurations( Please pardon me if i am wrong as i am new) and also what is the initial procedure.
Please suggest me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎09-11-2020 06:09 AM
Yes, you need to sit with your AD team to do most of the steps.
Step 1.2, 1.7 and 1.8 has to be done in ServiceNow