Identity and Authentication release notes

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Identity and Authentication Release Notes Washington DC

    The Washington DC release of the ServiceNow® Authentication application enhances user identity validation through various authentication mechanisms. Key improvements include tools for access analysis, session validation, and secure API authentication, all aimed at bolstering security for users and organizations.

    Show full answer Show less

    Key Features

    • Access Analyzer V2: A self-service tool for administrators to assess user access and ensure appropriate access levels.
    • Identity and Access Audit: Provides insights into changes made to user accounts, groups, roles, and Access Control Lists (ACLs).
    • Session Validation Context: Adds a layer of protection against session hijacking by evaluating authentication requests based on IP addresses.
    • Zero Trust Access - Mobile: Adjusts session roles and privileges based on risk factors in mobile environments.
    • API Key and HMAC Token Support: Secures inbound REST API requests through key authentication methods.
    • JWT Support for OAuth: Facilitates OAuth 2.0 client authentication with private key JWT for single sign-on and outbound integrations.
    • OAuth Client Credentials Grant Type: Supports inbound integration requests from third-party OAuth clients.

    Key Outcomes

    With the enhancements in the Washington DC release, ServiceNow customers can expect improved security measures for user authentication and access management. The deprecation of older authentication methods like MultiSSO v1, SAML 1.1, and OpenID SSO emphasizes the need to upgrade to more secure versions to maintain compliance and security best practices.

    The ServiceNow® Authentication application supports many authentication mechanisms that enable you to validate the identity of users. Authentication was enhanced and updated in the Washington DC release.

    Identity and Authentication highlights for the Washington DC release

    • Use the ServiceNow® Access Analyzer V2 tool to compare the access of users and determine the right level of access controls is provided for the users.
    • Use the Identity and Access Audit to understand the changes made for a user, group, role, and Access Control list (ACL).
    • Configure Session Validation Context into the adaptive authentication policy framework to evaluate authentication requests and provide an additional layer of protection against session or cookie hijacking.
    • Support API key and HMAC token for inbound REST APIs to securely authenticate the inbound webhook URLs.
    • Support OAuth 2.0 client authentication with private key JWT for OIDC based Single-sign-on and OAuth based Outbound Integrations.
    • Support OAuth Client Credentials grant type for Inbound Integrations to the ServiceNow® platform.
    • Configure the session access policy to reduce the roles or privileges of the particular session based on the risk related with the session using filter criteria like on the IP, Location, Identity attribute with the zero trust access policy in mobile.

    See Identity and Authentication for more information.

    New in the Washington DC release

    Access Analyzer
    Use the ServiceNow® Access Analyzer V2, a self-service tool designed for admins, developers, and support agents to compare user access and determine the right level of access for the users on the ServiceNow AI Platform.
    Important:
    Access Analyzer is available in the ServiceNow Store. For more information, visit ServiceNow Store.
    Identity and Access Audit
    Use the Identity and Access Audit to understand the changes made for a user, group, role, and ACL and understand the critical information about who has modified what, where and when in user accounts, groups, and roles.
    Session Validation Context
    Configure the session validation context into the adaptive authentication policy framework to evaluate authentication requests and then either deny or allow access based on IP address within a valid range as policy conditions. Session validation context provides an additional layer of protection against session or cookie hijacking.
    Zero Trust Access - Mobile
    Use the Zero Trust access - Session Access policy within the Adaptive Authentication policy to reduce the roles or privileges of the particular session in mobile.
    API Key and HMAC token
    Support API key and HMAC token for inbound REST APIs to securely authenticate inbound webhook URLs.
    JWT Support for OAuth
    Support OAuth 2.0 client authentication with private key JWT for OIDC based Single-sign-on and OAuth based Outbound Integrations.
    OAuth Client Credentials grant type for Inbound Integrations
    Support OAuth Client Credentials grant type for Inbound Integrations from a third party OAuth client to the ServiceNow® platform.

    Deprecations

    • The MultiSSO v1 is deprecated. Upgrade to MutliSSO v2 from MultiSSO v1.

      For more information, refer to the knowledge article MultiSSO v2 upgrade instructions [KB9756504] in the Now Support Knowledge Base.

    • The SAML 1.1 and SAML 1.1 Single Sign-On - Update 1 plugin is deprecated. The SAML-based identity providers (IdP) have already migrated to SAML 2.0. To use SAML 2.0, you must install the MultiSSO and configure your identity provider.
    • The OpenID SSO plugin is deprecated. To use OpenID Connect (OIDC), you must install the MultiSSO and configure your OIDC-based identity provider.

    Activation information

    Authentication is a ServiceNow AI Platform feature that is active by default.

    Related ServiceNow applications and features

    Platform Security
    Platform Security is built into all levels of the ServiceNow AI Platform. Implement the security features that are appropriate for your organization. Manage failed logins and encrypted password protection, access control rules, and audit logs.