SAML Auto Provisioning Setup

Go to solution
tomcline
Tera Contributor

‎01-20-2022 10:18 AM

Hello All,

We are stumped on SAML User Auto Provisioning and hoping the wonderful community can help us out.

We have successfully setup a basic SAML integration with our ServiceNow instance. We are able to login through our SAML Provider and be authenticated and updated within our ServiceNow Instance. All good and relatively straight forward assuming we set the users SAML ID into their ServiceNow user record ahead of time. 

We wanted to take the next step and configure "Auto Provisioning" of users. We followed all of the documentation and guides we could find. Alas, it seems we are missing a crucial step or misunderstanding one of the steps. No combination of settings and properties seems to get "Auto Provisioning" working upon login of a new user account.

Has anyone successfully enabled "Auto Provisioning"? Are there any tricks or gotchyas? Troubleshooting help? 

 

Thanks for any help or insight may provide!

@jwagner 

 

0 Helpfuls
  • 2,947 Views
1 ACCEPTED SOLUTION

Go to solution
Mike Naputano
Tera Expert
In response to tomcline

‎01-20-2022 12:16 PM

Our user field in the SSO provider is email, and we are just coalescing on the email field we get from the IDP in the transform maps. I attached the field maps for reference.

Thanks,

Mike

View solution in original post

Preview file
59 KB
0 Helpfuls
6 REPLIES 6

Go to solution
tomcline
Tera Contributor

‎01-20-2022 11:12 AM

@Mike Naputano  In a separate thread you mention you were able to get user auto provisioning working, could you take a look at this thread and offer any assistance?

Thanks!

0 Helpfuls

Go to solution
Mike Naputano
Tera Expert
In response to tomcline

‎01-20-2022 11:29 AM

Hi Tom,

   Sure, happy to help. Check out System Import Sets/Transform Maps, and see if you notice an odd map that has a name similar to this: u_imp_saml_user_26oz0vwprj

That should be your auto provisioning transform map that was created thanks to your Identity Provider setting that is just a checkbox named Auto Provisioning User. Assuming you have that set?

We added some field maps to this transform to set the first name, last name, username, SSO source, email, etc. that we receive from the SSO assertion. We really did not have to modify too much at all with this transform map other than the fields we wanted to set.

Let me know if you have this transform map available. I can share some screen shots if need be too.

Thanks,

Mike

0 Helpfuls

Go to solution
tomcline
Tera Contributor
In response to Mike Naputano

‎01-20-2022 11:40 AM

Hey Mike,

 

Thanks! Yes I have a transform map and have used it to map certain fields. None of the fields available in the mapping seem to be the subjects NameID coming in from the SAML assertion (in our case, a GUID from the IDP).

How did you set up your NameID Policy and User Field and or NameID Attribute field?

0 Helpfuls

Go to solution
Mike Naputano
Tera Expert
In response to tomcline

‎01-20-2022 12:16 PM

Our user field in the SSO provider is email, and we are just coalescing on the email field we get from the IDP in the transform maps. I attached the field maps for reference.

Thanks,

Mike

Preview file
59 KB
0 Helpfuls