Write data into AD (LDAP) using APIs?

Suggy
Giga Sage

‎01-30-2023 08:50 AM

Our customer is using Microsoft AD (LDAP). They have a requirement such that any changes made in ServiceNow or new user creation in ServiceNow should reflect back into AD using APIs.

PS- They dont have Orchestration license / IntegrationHub license. It should be achieved using APIs

Has anyone done this? Possible?

Labels:
0 Helpfuls
  • 965 Views
5 REPLIES 5

Community Alums
Not applicable

‎01-30-2023 10:50 AM

Hi there,

I have done such scenario. You definetely need MID server (usually a must for LDAP integration). So, you can actually pass a PS script to be executed on the machine hosting the MID server. This means, with the correct credentials and rights, you can actually run the PS needed to do a change on the AD ( check this link https://learn.microsoft.com/en-us/powershell/module/activedirectory/set-aduser?view=windowsserver202...). For how to make the MID to do that - follow this link, where John Anderson explained it wonderful - https://john-james-andersen.com/blog/service-now/powershell-probe-and-utility-for-servicenow.html

0 Helpfuls

Appli
Mega Sage
Mega Sage

‎01-31-2023 12:14 AM - edited ‎01-31-2023 12:24 AM

Hi, it should be also possible leveraging OAuth and outbound REST message over Graph API of AD.

Hope it helps
0 Helpfuls

Omkar Kumbhar
Mega Sage
Mega Sage

‎01-31-2023 03:48 AM

Hello @Suggy ,

Please follow the below steps:

1. Follow this guide to create the app in Azure

https://medium.com/@abhinavsonkar/making-azure-ad-oidc-compliant-5734b70c43ff (this URL has issues loading sometimes, but just keep refreshing)

2. Use the OOB Azure AD Application Registry in System OAuth --> Application Registry

  • Add the client ID and client secret
  • Add offline_access, openid, and the custom API scope created above under the OAuth Entity Scopes tab

3. In the related Azure AD default_profile record

  • Change Grant type to Authorization Code or Resource Owner Password Credentials
  • Add the OAuth Entity Scopes created in the above step

4. In the Azure AD OIDC Provider Configuration record

5. The POST request to Azure to get the auth token should look like the below.

Note: The scope property must include the custom API from step 1/step 2, and the blurred out section in the URI is the Azure tenant ID.

OmkarKumbhar_0-1675165656366.png

 

6. You can use https://jwt.io to decode the access_token returned to validate the User Claim/User Field values from step 4

7. You can research other grant flows in Microsoft's documentation, but the only types supported by ServiceNow for inbound OAuth are Authorization Code or Resource Owner Password Credentials

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow

https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc

https://hi.service-now.com/kb_view.do?sysparm_article=KB0745184

https://www.servicenow.com/community/developer-articles/azure-automation-api-integration-using-rest-...

 

Thank you,

Omkar

If I was able to help you with your case, please click the Thumb Icon and mark as Correct.
0 Helpfuls

Richard Hine
Tera Guru
Tera Guru
In response to Omkar Kumbhar

‎01-31-2023 06:50 AM

I think the user said they were using AD (LDAP) not Azure AD, so I don't think your approach would work in this instance.

 

Richard