Multi-provider SSO, Okta, and thou

Uncle Rob · ‎07-25-2017

I'm trying to pull off an Okta integration via Multi-Provider SSO, but I'm having difficulty in two areas:

1) Authentication

We created a dummy user on both ServiceNow and Okta, and the SSO component worked smooth. So we attempted to test with a user that pre-existed in ServiceNow and now has an Okta user name. In this case, the user will proceed immediately to log out (and sys logs will complain that the user was not found). The user will log in perfectly if I dis-associate him from his company record in ServiceNow. I know multi-provider SSO allows you to specify the SSO Source by company, but if the Company has no SSO source, should it not use the default?

Tests:

- User has no company defined in ServiceNow = login success!

- User has a company defined in ServiceNow + Company as SSO Source of Okta IdP's sys_id = fail (user not found)

- User has a company defined in ServiceNow + Company has no SSO Source defined + Okta IdP set as default IdP = fail (user not found)

2) Provisioning

I had always assumed that with Multi-Provider SSO and Okta that you could provision users into ServiceNow if the SSO Source had validated them. I was anticipating that on SN I could check a box to allow inserts (in the same fashion that multi-povider SSO allows updates)

However, when we create a user in Okta and grant access to SN, when that user attempts to log in they're taken directly to the logout screen. System logs complain that the user does not exist. Now, some peers are telling me that this happens via an Okta push vs a ServiceNow pull. This thread seems to indicate that a pull is possible too. What do you good folks generally see?

Uncle Rob · ‎07-28-2017

UPDATE

Special thanks to ServiceNow support for the assist on this one. Apparently there was a Before Query business rule on the User table that was interfering with multi-provider SSO's ability of looking up the User / User-Company necessary to determine SSO Source. Once we refactored that business rule (for an ancient and no longer relevant use case) everything started working exactly as expected.

Lessons learned: If you're working on a customer instance always recon for custom Before Query business rules.

View solution in original post

Erik Stolberg · ‎07-25-2017

Provisioning is handled on the Okta side, within the application on the Provisioning tab (enable the "Create Users" option).

More info: ServiceNow Provisioning (although I would recommend using the UD-enabled app which is now out of Early Access: ServiceNow Provisioning)

I do not have an SSO Source defined on the company table entries. We run 2 Okta tenants:

A majority of my users from one company exist in one tenant. I do not have an SSO source in ServiceNow on individual sys_user records.
I have a handful of users in another Okta tenant from several different companies. These users have an SSO Source directly on the sys_user record. I accomplish this by adding a static value in the Attribute Mapping (Okta to SN tab) within Okta ("sso:b98f21524f4172c0d59d76641310c7f7").

Okta creates 200+ new users and pushes 1000+ user profile updates every week in ServiceNow without issue, so I can testify the integration works awesome once configured. Not sure if this is helpful, but feel free to ask about my config if you need. It sounds like there might be an issue with the Company SSO Source config?

Marcel H_ · ‎11-15-2017

Just came across this thread and would be very interested in learning more about what you've set up Erik, as it sounds very similar to what I need to accomplish with multiple Okta tenants.

Erik Stolberg · ‎11-21-2017

Marcel, I just sent you a PM. Feel free to respond to me on there or start a new post. I don't want to hijack Mr. Fedoruk's post

Uncle Rob · ‎07-26-2017

So it turns out I wasn't entering the SSO Source correctly on the company record. I had just the sys_id instead of "sso:sys_id". However, even after updating that, users in that company still fail to get logged in (proceed immediately to logout screen). If I remove them from the company, they log in just fine. If I keep thme in the company, but remove the SSO Source, they proceed directly to logout.

What am I missing?