Hi ServiceNow community,
I got the requirement to integrate a OIDC IdP that provides the possibility during the authentication process to select an other person or organization for which this user should act as / on behalf of. The authenticating person should then be able to use the customer portal and accessing resources of the on behalf of user.
Example:
Like I use my identifier john.doe@gmail.com but I can then select on a form (presented by IdP) e.g. myself or somebody else (like Jane Doe-Miller [spouse] or a company he can act for).
If I now select e.g. "Jane Doe-Miller" I'll get the following JWT token containing a "deputy" node containing the selected on behalf of user/organization:
{
"iss": "https://myIdpUrl.company.com/auth/realms/login",
"aud": "myappid.company.com",
"jti": "dbd3016d-cb15-44c5-9ab6-b34c321f3cf0",
"iat": 1714140000,
"exp": 1714141800,
"nonce": "DyYCEG2AMdqE",
"sub": "3f3c7d1d-4532-4fe5-be15-f0ee1c5722c0",
"email": "john.doe@gmail.com",
"family_name": "Doe",
"given_name": "John",
"deputy": {
"account_type": "person",
"account_id": "2345234-4532-4cb4-ac12-f0ee1c5762c0",
"display_name": "Jane Doe-Miller",
"email": "jane.doe-miller@gmail.com"
}
}
Question:
What is the best way to handle the delegation / impersonation of this select deputy in ServiceNow, so that this person can act on the customer portal on behalf of the chosen person / organization?
Shall we impersonate (GlideImpersonate) in the OAuthID Single Sign-On Script to the deputy person (and therefore assign impersonater role to e.g. john.doe@gmail.com?) or is there another possibility so that I can act on the system on behalf of somebody else and perform the action directly during authentication?
Thanks for your support and regards,
Marco
