Viewing SSO subscription information

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Viewing SSO Subscription Information

    This guide provides instructions for ServiceNow customers to view Single Sign-On (SSO) subscription information related to applications, users, and groups within the Software Asset Management (SAM) module. It covers how to navigate both the classic UI and the Software Asset Workspace for accessing this data.

    Show full answer Show less

    Key Features

    • SSO Integration Profiles: Navigate to All > SaaS License > Administration > SSO Integration Profiles to view related lists including SSO Applications, Directory Users, and Directory Groups.
    • Scheduled Jobs: Regular jobs that download information related to SSO apps, users, groups, and subscriptions run daily or upon profile publication.
    • SSO Application Information: Access details about users, groups, and subscriptions for specific SSO applications via All > SaaS License > SSO Applications.
    • Reclamation Candidates: Identify subscriptions that do not meet usage requirements as defined by reclamation rules.

    Key Outcomes

    By effectively utilizing the SSO subscription viewing capabilities, customers can:

    • Monitor and manage user access to applications, ensuring compliance and security.
    • Reclaim unused subscriptions by identifying users with indirect access through group memberships.
    • Ensure data synchronization with SSO providers, maintaining accurate records of users and applications.

    Understanding these features will enhance your ability to manage SaaS licenses and improve the efficiency of software asset utilization.

    You can view information about the Single Sign-On (SSO) applications, SSO users, and SSO groups that are associated with your SSO integrations.

    Important:
    You can view information about your SSO applications, users, and groups in both the Software Asset Management Core UI and Software Asset Workspace. The following sections provide details on viewing this information in the Software Asset Management classic application. For details on viewing this information in the Software Asset Workspace, see License operations view.

    Viewing SSO integration information

    To view the applications, users, and groups for an SSO integration, navigate to All > SaaS License > Administration > SSO Integration Profiles and then select a profile. The related lists provide information about the integration.
    Table 1. SSO Integration Profile related lists
    List Description
    SSO Applications All SSO applications.
    Directory Users All SSO users.
    Directory Groups All SSO groups.
    Scheduled Jobs SAM - SSO <sso-provider> download applications scheduled job that downloads all SSO apps. The job runs when the SSO integration profile is published, and then runs daily.

    The SAM - SSO <sso-provider> update connected applications scheduled job downloads users, groups, and subscriptions for SSO apps. The job runs daily and whenever an app is connected.
    Scheduled Job Results Status of the scheduled jobs.
    Directory Jobs <sso-provider> - Download Group Membership directory job that downloads group memberships for all users. The job runs when the SSO integration profile is published, and then runs daily.

    The <sso-provider> - Download Groups directory job downloads all groups. The job runs when the SSO integration profile is published, and then runs daily.

    The <sso-provider> - Download Users directory job downloads all users. The job runs when the SSO integration profile is published, and then runs daily.
    Directory Job Results Status of the directory jobs.

    Viewing SSO application information

    To view the users, groups, and reclamation candidates for an application, navigate to All > SaaS License > SSO Applications and select an application. The related lists show information for the application. For viewing the SSO application information in Software Asset Workspace, see View SSO applications in workspace.

    Table 2. SSO Applications
    List Description
    SSO Application Users All users that have direct access to the application, but not through membership in a group.
    SSO Application Groups All groups that have access to the application.
    SSO Subscriptions Total number of subscriptions for the application. A user may have both direct access to an app and have access through a group. But the user's access counts as only one subscription so as only one record in the SSO Subscriptions list.
    Note:
    • Add the SSO application role column to see how the user is granted access to the application. If the value is a group, then the user has access through membership in that group. If the value is the user's name, then the user has direct access to the application. User subscriptions can't be reclaimed in Software Asset Management if the user has access to the application through a group membership. To reclaim the subscription, remove the user from the group in the Azure AD portal and set the reclamation candidate state to Closed Complete.
    • When SSO subscriptions are created through SSO application groups, the Subscription assigned value is empty. When the subscriptions are created through SSO Application Users, the Subscription assigned value shows the date of when the subscription is assigned to the user. After you upgrade to the Software Asset Management - SaaS License Management 13.1.0 version or later, the existing Subscription assigned values for the subscriptions that were created through SSO application groups turns empty.
    Reclamation Candidates Subscriptions that don't meet the usage requirements that are defined by the reclamation rule for the application.

    Data synchronization with SSO providers

    If you delete a user, group, or app in the Azure AD portal or in the Okta Developer Console, then the corresponding records in Software Asset Management are deleted when the daily scheduled jobs run. If you revoke a user's access to an application in the Azure AD portal or in the Okta Developer Console, either directly or indirectly by removing them from a group, then the corresponding user subscription record is deleted when the daily scheduled jobs run.