Web Embeddables

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Web Embeddables

    Web Embeddables allow ServiceNow customers to securely embed ServiceNow web components into third-party websites, enabling real-time interaction with ServiceNow data and functionality without direct access to the ServiceNow interface. This feature uses dedicated APIs and authentication mechanisms to establish embedded sessions that display ServiceNow information within external web components.

    Show full answer Show less

    Key Features

    • Secure Authentication: Embedded sessions are established using the /now/client/authenticate API endpoint, requiring a valid bearer JWT token for authentication.
    • Role Relegation: During embedded sessions, administrative roles such as admin and security admin are automatically removed, with additional role removals configurable through client session access role settings.
    • Policy Filters and Zero Trust Access (ZTA): Default policies use Embedded Session filter criteria, which can be enhanced by integrating the ZTA plugin to apply filters like IP address, location, role, group, and identity provider attributes, strengthening security controls.
    • Embedded Client Access Plugin: The com.glide.security.clientaccess plugin supports role relegation and is installed automatically with the Web Embeddable plugin.
    • Configuration Settings: The system property glide.uxf.lib.embeddables.enabled must be set to true to enable the authentication endpoint.
    • Additional Security Measures: Configuring the OIDC client type as Embedded (requires ZTA plugin) and using the IsEmbeddedSession security attribute in access controls (ACLs) enhance privilege controls during embedded sessions.

    Practical Benefits for ServiceNow Customers

    • Embed ServiceNow capabilities seamlessly into external portals while maintaining strict security and access controls.
    • Control and restrict user privileges during embedded sessions to prevent exposure of high-privilege roles.
    • Leverage advanced filter-based policies with Zero Trust Access for enhanced authentication and authorization.
    • Utilize configurable role relegation to tailor user roles appropriately in embedded environments.
    • Implement best practices for secure integration between ServiceNow and third-party websites.

    Secure the web embeddables feature for authenticating the ServiceNow's web components that are used in third-party portals.

    The web embeddables capability enables you to embed the ServiceNow web components into external websites outside ServiceNow. You can use these web components to interact with the ServiceNow using dedicated APIs that allow for real-time data exchange and functionality use without requiring users to directly access the ServiceNow interface.

    While using the web embeddables, it is important to authenticate to the ServiceNow web components securely and restrict or remove high privilege roles to the users. During authentication an embedded session is established to display information from ServiceNow within the web components.

    The (/now/client/authenticate) API end point is used for authenticating the request from a third-party to establish the embedded session of ServiceNow.

    Note:
    You must use a dedicated Custom URL to authenticate the request from a third-party.

    To use this end point, you need to send a valid bearer auth JWT based token in the authorization header as part of authentication request. When a valid token is sent, the session is considered as embedded with the removal of admin and security admin roles to the user.

    Further, you can perform role relegation to further configure the roles that are required to be removed during an embedded session. To learn more about embedded session role configuration, see Configure client session access role.

    To know more about the configuration of web embeddables, see Configure Web Embeddables.

    By default, the policy can be configured with only Embedded Session filter criteria. You can leverage Zero Trust Access (ZTA) plugin to further enhance its usage with filters such as IP, Location, Role, Group, Identity Provider Attributes. You can add these filters to the policies created in the Client Access Role Configuration table. This ensures further strengthening the access complexity and have a better security posture while establishing an embedded session. For more information about ZTA, see Zero Trust Access (ZTA).

    Note:
    • Embedded client access (com.glide.security.client_access) plugin is used for including capabilities such as role relegation for Web Embeddables feature. This plugin is auto-installed when the Web Embeddable plugin is installed.
    • You must set glide.uxf.lib.embeddables.enabled property to true for using the (/now/client/authenticate) end point.

    You can also implement these additional security measures to further have a stronger control over the privileges of the user when using the web components:

    • Configure the client type to Embedded for the corresponding OIDC (OAuth Entity) record. To set the client type as Embedded, you must install Zero Trust Access (ZTA) plugin.
    • Use the IsEmbeddedSession as a security attribute for the access controls (ACLs). The IsEmbeddedSession security attribute is added when installing the Embedded client access (com.glide.security.client_access) plugin. For more information, see OOB (Out-of-Box) Security Attributes.