Blog - NOW Mobile Agent + Custom URL + Multi-Source SSO

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
05-26-2023 06:57 AM - edited 05-26-2023 07:06 AM
Multi-Source SSO Configuration + Custom URL + Mobile Agent
Summary: Configuring platform to support more than 1 SSO source in Mobile Agent for Multi-tenant and/or multi-SSO environments via Custom URLs.
Scenario:
- Internal organizational Fulfiller users (yourcompany.com) leveraging Mobile Agent in a high level domain via SSO source (ex. Azure AD)
- External Fulfiller users (bestcustomer.biz) wish to leverage Mobile Agent in a lower level domain via a different SSO source (ex. Okta)
- Mobile agent only supports "instance URL" thus yourcompany.com/customer portals and other pre-login methods would not work
Pre-Requisites:
- multi-source SSO enabled
- Identity Provider built for SSO and tested/working
- user in related SSO Match (i.e. email) with proper roles
Step 1: [Off-Platform] On DNS Registrar for domain Create Custom URL | Ex. servicenow.yourcompany.com
Step 2: [Off-Platform] Create CNAME record on DNS for URL pointing to instance URL
Step 3: Create Custom URL for request (LINK) and ensure to associate the proper SSO Provider (i.e. not default) to the Custom URL via Identity Provider related list and Test
Step 4: Wait for Custom URL to be active (4-6hrs after testing)
Custom URL job runs in background to assign this URL a related SSO Certificate
Step 5: [Off-Platform] Configure SSO Provider for custom domain [Off-Platform] (LINK) | Note, if already configured, a second SSO SAML profile is potentially necessary depending on SSO provider to support multiple source domains.
Step 6: Test logging in via Web and SSO (non-mobile agent) to ensure functionality
Step 7: In NOW Mobile, create additional instance and test logging in with associated secondary SSO test user
Possible Issues:
Custom URL not triggering Activation and/or Custom URL job not triggering
- Check other Custom URLs and “Test CNAME”
- For those failing and not in use – delete
- If unable to delete or remove, export XML of legacy custom URL and import, switching
- OLD: <custom_url action="INSERT_OR_UPDATE">
- NEW: <custom_url action="DELETE">
Error in Mobile Agent stating: Now Mobile - error unauthorized_client: The client credentials provided (those of the service you are using) are either not valid or not trusted
- Fix: LINK
- Steps
- Create update set
- Back up oauth_entity table (Application Registries) xml file From current instance (flat file/history) and store for reference
- Export oauth_entity table (Application Registries) xml file from OOB instance
- import XML from OOB (‘clean’ file) into instance