Service Bridge: Magic Links - Enable and configure Magic Links

Kenny Caldwell
ServiceNow Employee
ServiceNow Employee

Wednesday

Magic links enable consumers to access resources shared by a provider without manual login by enabling seamless authentication from a consumer instance to a provider instance. This feature supports both per-user and single-user login modes and is particularly useful for service catalog submissions and knowledge base access.

 

Magic Links uses the Multi Provider Single Sign-On plugin. Installing Service Bridge for Providers v2.2.2 and above will install Multi Provider Single Sign-On plugin.

 

Validate Identity Provider Record

When a consumer in onboarded via the Service Bridge registration process, an identity provider is created and associated to the Consumer connection record.


Navigate to All > Multi-Provider SSO > Identity Providers and validate the Identity Provider record. The name will be in the form of “<The Connection Number> Service Bridge Identity Provider”. If the identity provider record is not present, navigate to Service Bridge Health Dashboard and check the scan tasks related to Magic Link findings. See Upgrading to Service Bridge for Providers v2.2.2 section below.

 

SB Magic Links - IDP - 1.png

Enable Magic Links for a Consumer

  1. Navigate to All > Service Bridge Provider > Consumers.
  2. Open the consumer connection record for which Magic Links will be configured.
  3. Under the Related Lists, click the Settings tab and open the settings record. 

    SB Magic Links - Consumer Connection with Border.png

  4. In the Magic Links tab, select Enable magic links and configure additional Magic Links settings as necessary.

    SB Magic Links - Settings with Border.png

     

    SB Magic Links - Config Table.png
  5. Click Update.
  6. Enabling/disabling "Enable magic links" activates/deactivates the Identity Provider for the connection.

 

Enable Multi-Provider SSO

If Magic Links have not previously been configured for a consumer, Multi-Provider SSO may need to be enabled. If Multi-Provider SSO is not enabled an info message is displayed on consumer connection settings record “Enable the property.authenticate.multisso.enabled to activate the magic link functionality".

 

SB Magic Links - Settings - Info Message Highlight - with border.png

  1. Navigate to All > Multi-Provider SSO > Administration > Properties. If the system property Enable multiple provider SSO is disabled, SSO Account Recovery must be configured, or if local login is required then SSO Account Recovery should be disabled.

    SB Magic Links - Multi-SSO Properties Grayed Out - with Border.png

  2.  Account Recovery can be disabled to allow local logins by unchecking the system property Enable account recovery under Account Recovery Properties.

    SB Magic Links - Disable SSO AR for local login with Border.png

     

  3. After configuring SSO Account Recovery or disabling SSO Account Recovery, Multi-Provider SSO can be enabled by selecting Enable multiple provider SSO and saving.

    SB Magic Links - Multi-Provider SSO Enabled with Border.png

 

 

Using Magic Links
After Magic Links is enabled for a consumer and Multi-Provider SSO has been configured, Magic Links is ready for use. Any transport queue payloads which get synced to the consumer and meets the following criteria will be converted to magic link.

 

  • The URL is a properly formatted absolute URL to the providers instance anywhere in the payload.
  • The URL is a relative URL in the href attribute of links and in URL-type fields.

When a magic link is used, it directs the user to the redirection page. The sn_sb.requestor role is required for the user to be able to access the redirection page. If a user uses a magic link without the sn_sb.requestor role, the user will see the following message.

 

Magic Links - User does not have sn_sb_requestor_role with Border.png

 

By default, the consumer user will be logged into the provider instance as themselves and be directed to the resource if:

 

  • The consumer user can be found in the provider instance using the consumers user’s email address.
  • The company of the consumer user in the provider matches the company of the provider consumer connection.

Otherwise, the consumer user will get the following error message.

 

SB Magic Links - 404 error - wrong account with Border.png

If Single user mode is enabled for a connection, all users accessing that connection will be logged in as the designated user specified by the Single user mode setting. A service account with limited access is best for this account.

 

After these checks are complete, the redirection page appears for the duration specified by the Magic Links Redirect timeout setting. This setting is configured within the consumer instance, with a default value of 5 seconds. The maximum allowable value is 30 seconds, while a value of 0 results in an immediate redirect. Selecting "Click to Continue" allows users to bypass the wait period and proceed instantly.

 

SB Magic Link - Redirect Page with Border.png

After the specified time has passed, the redirection page redirects the user to the provider instance, logs the user into the provider instance, and redirects the user to the specified resource.

 

 

Upgrading to Service Bridge for Providers v2.2.2

When configuring Service Bridge Magic Links if you have existing consumer connections, the Identity Provider records will not be created for these connections, and you will need to manually create them. Fortunately, installing Service Bridge for Providers v2.2.2 and above also installs the Health Dashboard and Scan Check Suites. One of the out-of-box scan check suites, named Service Bridge Magic Links Configurations, is monitoring for such configuration issues. By checking the Health Dashboard, you will be able to see the finding and resolve the issue.

 

  1. Navigate to the Health Dashboard. All > Service Bridge for Provider > Administration > Health Dashboard.
  2. Find and click the Scan Task - Magic Links is not correctly configured.

    Service Bridge Health Dashboard with Border.png

  3. In the activities section, a work note is available which references the Known Error Documentation, the Source record for the configuration, and Finding Details to help resolve the issue. The Finding Details note that Magic Links requires a SSO Identity Provider.

    SB Scan Task Form - Magic Links is not correctly configured with Border.png

  4. Navigating to All > Multi-Provider SSO > Identity Providers. We can see that there isn’t an Identity Provider record of the Consumer Connection. The name will be in the form of “<The Connection Number> Service Bridge Identity Provider”.

    SB Magic Links - Missing Identity Provider with Border.png

  5. In the scan task, click Known Error Documentation link to access a guide for resolving the issue.
  6. The Known Error Code documentation is displayed. The Finding Details help narrow down the issue in the Know Error Documentation to If the SSO Identity Provider is not created.

    Known Error Code 160 with Border.png

  7. After running the provided script, the Identity Provider has been created. Set Active to true on the Identity Provider and it is ready for use.

    SB Magic Links - Identity Provider with Border.png




  • 100 Views
Version history
Last update:
Wednesday
Updated by:
ServiceNow Employee
Contributors