Guest user access for Web Embeddables
Summarize
Summarized using AI
This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.
Summary of Guest user access for Web Embeddables
ServiceNow enables unauthenticated (guest) users to access certain Web Embeddables components on your third-party website without requiring login. This facilitates seamless public access to specific content, such as knowledge articles and catalog items, that are explicitly made public within your ServiceNow instance.
Show less
Key Features
- Supported Components for Guests: Knowledge article view and catalog item components can be embedded and accessed by guest users.
- Content Visibility: Only content explicitly set as public in ServiceNow is displayed to guest users.
- Security Controls: Guest sessions can be secured to confirm human users via CAPTCHA and validate trusted third-party websites through JWT tokens.
- Session Management: Global JavaScript code supports starting guest sessions, upgrading to authenticated sessions upon login, and reverting to guest sessions on logout.
Configuration Steps
- Activate Guest Support: Enable the
snguestcomponentplugin to allow guest user access for Web Embeddables. - Enable Component ACLs: Adjust Access Control Lists for each component to grant guest users appropriate permissions.
- Set System Properties: Configure the
glide.embedded.session.trust.verification.enabledproperty to require JWT token verification for creating guest sessions, enhancing security by validating the session originates from a trusted site. - Implement Global Code: Embed the provided global JavaScript code on your third-party website to manage guest session lifecycle, including invoking
startGuestSession(),login(), andlogout()functions as needed. - Make Content Public: Ensure knowledge articles and catalog items intended for guest access are marked public within ServiceNow.
- Embed Components: Place the Web Embeddables components on your third-party website pages following ServiceNow’s embedding guidelines.
Expected Outcomes
- Guest users can seamlessly view and interact with designated Web Embeddables content on your external website without authentication.
- Session security is enforced through CAPTCHA and JWT token verification, preventing unauthorized or bot access.
- Authenticated users experience upgraded sessions automatically, allowing for a smooth transition between guest and logged-in states.
- Administrators maintain control over which content is visible to guest users by managing public settings and ACLs.
Enable unauthenticated users to access Web Embeddables components on your third-party website without logging in.
Overview of Web Embeddables for guest users
Provide unauthenticated users with access to Web Embeddables components on your website without requiring them to log in. Currently, the following components are available for guest users:
- Knowledge article view component
- Catalog item component
- Install the guest plugin
- Enable the component ACLs
- Set the system property
- Implement the global code on your third-party website
- Embed the component on your third-party website page. For more information, see Embed ServiceNow components instance on the third-party website.
- Make content displayed in components public
Guest users support activation
Activate the Web components for Guest Embeddables (sn_guest_component) plugin to enable guest user support on your website. For more information on how to activate the plugin, see Activate Web Embeddables.
Enable the component ACLs
For guest user to view or interact with the components on your third-party website, you must enable the guest ACLs of the components . For more information, see Configure ACL for guest access.
Guest users system properties
Set the following system property to control how guest sessions are created and verified for Web Embeddables.
| Property | Description | Behavior |
|---|---|---|
| glide.embedded.session.trust.verification.enabled | Enable verification to check that the guest embeddable session is created on a trusted third-party website. The verification happens through JWT token. | When set to true, the system checks for a JWT token before creating an embedded guest session. When set to false, the system creates a guest embedded session without verification. By default, the property is set to true. Pass the JWT token using the value for the key: |
Global code implementation
For pages supporting both guest and authenticated sessions, the global code implementation is as follows:
- On page load: Uncomment to call
await startGuestSession()function. This establishes an anonymous session so guest components (for example, a public-facing knowledge view component) render without requiring the user to sign in. - After user logs in: Uncomment to call
await login()function. This upgrades the session to an authenticated one, causing authenticated components to load for that user. Guest components are replaced or supplemented by the logged-in experience depending on your configuration. - On logout: Uncomment to call
await logout()function to suspend down the authenticated session and return to the guest state if needed.
Note:
guestTokenCallback function is required in init() function for guest sessions to work. This callback must return a valid guest JWT token for your instance. Without it,
startGuestSession() function fails validation.To display content in the guest components, make knowledge articles and catalog items public.
Guest users can access the Web Embeddables components designated as public on your website without logging in.