User Provisioning and Authentication (LDAP)

Go to solution
darreneverett
Mega Expert

‎07-16-2017 07:47 PM

Hi all.

I have read as many documents and forums as I could find.

I just need some quick clarification please.

Internet: ServiceNow Istanbul

Customer Network : LDAP Servers, MID Server

We wish to enable two things.

1. User provisioning from the LDAP Server.   No problems.   MID Server can talk to ServiceNow using Port 443. Great.

2. Authentication (or SSO).   Not so great.

In this example, the SN instance will need to talk through the firewall and directly to LDAP Server.   With no MID Server interaction, correct?

If correct, where can I find the security and network requirements for this communication (ports, directions, type)?

Also, please confirm that in this architecture, the MID server   option will work, but is rather redundant in this User Provisioning role, correct?

Further to this.....   I then find this :     LDAP integration setup

Which states :     Administrators can enable LDAP integration to allow single sign-on of users from their company LDAP directory.

After the integration, the MID Server connects to the instance and the MID Server also connects to the LDAP server. In both cases, the MID Server initiates the connection:

  1. First, the MID Server connects to the LDAP server via LDAP on Port 389.
  2. Then, the MID Server initiates an HTTPS encrypted connection to the instance on Port 443 to push the data to the instance.

...which is contrary to my understanding about SSO and MID Servers not working togeather.

Thanks all.

0 Helpfuls
  • 2,425 Views
1 ACCEPTED SOLUTION

Go to solution
darreneverett
Mega Expert

‎07-17-2017 05:08 PM

G'Day everybody.


OK, so further research has led me to this three part blog by Bill...



https://community.servicenow.com/community/blogs/blog/2014/11/25/you-dont-need-a-vpn


https://community.servicenow.com/community/blogs/blog/2014/12/02/you-dont-need-a-vpn--part-ii-ldap-i...


https://community.servicenow.com/community/blogs/blog/2014/12/09/you-dont-need-a-vpn-part-iii--singl...



This is basically stating (and I'm talking Authentication here);


        1. SSO is the preferred option (but Noted that not everybody can do this due to their environment);  


                            With more information on it being here: ADFS integration with SAML 2.0


                                                (https://docs.servicenow.com/bundle/helsinki-servicenow-platform/page/integrate/saml/concept/c_ADFSIn...



        2. LDAPS is also a viable and secure option.   With more information on this being in the above blog.



        3. Other options (???)



I would love to hear your feedback on option 1 and 2 above.


View solution in original post

9 REPLIES 9

Go to solution
sergiu_panaite
ServiceNow Employee
ServiceNow Employee

‎07-16-2017 11:42 PM

Hello Darren,



MID server can be used only for LDAP integration, but not for authentication:



LDAP integration via MID Server



Check the Note section on above link.


For LDAP authentication you will need a public IP address where our instance can connect to (using usually LDAPS protocol) or a direct VPN tunnel between ServiceNow network and your network. For more information on what is possible have a look here:



Setting Up a Virtual Private Network between ServiceNow and a Business Network - ServiceNow Wiki


Go to solution
darreneverett
Mega Expert

‎07-16-2017 11:53 PM

Thanks Sergiu.  



So to clarify.   LDAP for User Provisioning via MOD Server.   No problems.   ANd the bonus of this is that I only need to open one outbound port (443) so security people are happy.



But now that we also want to do Authentications (SSO) also, I now need to open a bunch of ports and even perhaps implement a VPN.  



The link you provided says "Using a MID Server to establish an LDAP connection prevents you from having to expose the LDAP server to external network traffic. It also eliminates the need to establish a VPN tunnel between your LDAP server and data centers."   So ALL of this is "Unless you want to do SSO as well."   Is this correct?



I really want to know what outher people out there are doing in this simple setup.   Being a Customer with their own network and LDAP Servers, and ServiceNow in the Cloud.   What solution do they do for User Provisioning (Sync) and Authentication (SSO)?



Thanks again Sergiu


0 Helpfuls

Go to solution
darreneverett
Mega Expert

‎07-16-2017 11:55 PM

And also Sergiu, when you say "For LDAP authentication you will need a public IP address where our instance can connect to".  


Any tips where I can find the specs for this connection?   i.e. Ports, Traffic Direction, Type of traffic, etc?   if this is a valid option.



Thanks again.



D


0 Helpfuls

Go to solution
sergiu_panaite
ServiceNow Employee
ServiceNow Employee
In response to darreneverett

‎07-17-2017 12:04 AM

So if you want to use MID server only for LDAP integration, then you will need something else for authentication (either a direct link to an LDAPS or SSO).



Now, for LDAPS option you need to open port 636 usually (default port for LDAPs) so instance can do LDAP request for each user on authentication. You will also need a PKI certificate. Unfortunately I can't find the exact requirements for this, but some of the information I could find is here:



LDAP integration FAQs


LDAP certificates



For SSO authentication, this one seems to be more popular from what I see. I've not seen many customers using LDAPs for user authentication.