User Provisioning and Authentication (LDAP)

darreneverett · ‎07-16-2017

Hi all.

I have read as many documents and forums as I could find.

I just need some quick clarification please.

Internet: ServiceNow Istanbul

Customer Network : LDAP Servers, MID Server

We wish to enable two things.

1. User provisioning from the LDAP Server. No problems. MID Server can talk to ServiceNow using Port 443. Great.

2. Authentication (or SSO). Not so great.

In this example, the SN instance will need to talk through the firewall and directly to LDAP Server. With no MID Server interaction, correct?

If correct, where can I find the security and network requirements for this communication (ports, directions, type)?

Also, please confirm that in this architecture, the MID server option will work, but is rather redundant in this User Provisioning role, correct?

Further to this..... I then find this : LDAP integration setup

Which states : Administrators can enable LDAP integration to allow single sign-on of users from their company LDAP directory.

After the integration, the MID Server connects to the instance and the MID Server also connects to the LDAP server. In both cases, the MID Server initiates the connection:

First, the MID Server connects to the LDAP server via LDAP on Port 389.
Then, the MID Server initiates an HTTPS encrypted connection to the instance on Port 443 to push the data to the instance.

...which is contrary to my understanding about SSO and MID Servers not working togeather.

Thanks all.

darreneverett · ‎07-17-2017

G'Day everybody.

OK, so further research has led me to this three part blog by Bill...

https://community.servicenow.com/community/blogs/blog/2014/11/25/you-dont-need-a-vpn

https://community.servicenow.com/community/blogs/blog/2014/12/02/you-dont-need-a-vpn--part-ii-ldap-i...

https://community.servicenow.com/community/blogs/blog/2014/12/09/you-dont-need-a-vpn-part-iii--singl...

This is basically stating (and I'm talking Authentication here);

1. SSO is the preferred option (but Noted that not everybody can do this due to their environment);

With more information on it being here: ADFS integration with SAML 2.0

(https://docs.servicenow.com/bundle/helsinki-servicenow-platform/page/integrate/saml/concept/c_ADFSIn...

2. LDAPS is also a viable and secure option. With more information on this being in the above blog.

3. Other options (???)

I would love to hear your feedback on option 1 and 2 above.

View solution in original post

darreneverett · ‎07-17-2017

Thanks again Sergiu.

So, I don't WANT to use MID Server for LDAP Integration. But as it seems the most secure (one outbound port), then the customer is sold on that.

And it now seems I have two real options.

1. LDAP Authentication (not via MID), I assume using ADFS.

2. Other SSO methods.

Some good reading for me.

Many thanks once again.

sergiu_panaite · ‎07-17-2017

Anytime Darren!

darreneverett · ‎07-17-2017

And if anybody can confirm this question...

"There is no point in using a MID Server for Sync if you plan in using LDAP for Authentication, because you need to open up LDAP outside of the MID Server anyway!!" Sound fair?

sergiu_panaite · ‎07-17-2017

From my point of view, I think you're right. If you use LDAPS or LDAP via VPN tunnel, I don't see the point of having a MID server for integration as you can use the LDAP directly.

Others probably can confirm this as well.

darreneverett · ‎07-17-2017