Viewing SSO subscription information

  • Release version: Zurich
  • Updated July 31, 2025
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Viewing SSO subscription information

    This guide explains how ServiceNow customers can view and manage information related to Single Sign-On (SSO) integrations, including applications, users, groups, and subscriptions. The instructions focus on accessing this data within the Software Asset Management (SAM) Core UI, specifically in the classic application, while also noting availability in the Software Asset Workspace.

    Show full answer Show less

    Viewing SSO Integration Information

    To review details on SSO integrations, navigate to All > SaaS License > Administration > SSO Integration Profiles and select a profile. Key related lists provide information about:

    • SSO Applications: Lists all applications linked to the integration.
    • Directory Users and Groups: Displays all users and groups associated with the SSO provider.
    • Scheduled Jobs: Includes jobs that download SSO applications, users, groups, and subscriptions. These jobs run daily and upon publishing or connecting an app.
    • Directory Jobs: Specific jobs for downloading group memberships, users, and groups. Note that for Microsoft Entra ID spoke 4.3 and later, group membership download jobs are replaced by a comprehensive group download job.
    • Job Results: Status of scheduled and directory jobs is available for monitoring.

    Viewing SSO Application Information

    To see users, groups, and reclamation candidates for a specific SSO application, go to All > SaaS License > SSO Applications and select an application. Related lists include:

    • SSO Application Users: Users with direct access to the app (not through group membership).
    • SSO Application Groups: Groups that have access to the application.
    • SSO Subscriptions: Total subscriptions for the application, counting each user's access only once regardless of whether access is direct or through group membership.
    • Reclamation Candidates: Subscriptions identified as unused or underused based on reclamation rules.
    • SSO Group Software Model Mappings: Groups mapped to software models for license management at the group level.

    Important notes:

    • The “SSO application role” column clarifies whether access is granted directly or via group membership.
    • Subscriptions assigned via group membership do not show a subscription assignment date, and user subscriptions granted through groups cannot be reclaimed directly in SAM. To reclaim these, remove users from groups in Azure AD and close the reclamation candidate state.
    • After upgrading to SAM - SaaS License Management 13.1.0 or later, subscription assignment dates for group-based subscriptions will be cleared.

    Data Synchronization with SSO Providers

    Data synchronization occurs daily via scheduled jobs, ensuring the SAM database reflects current SSO provider states:

    • If a user, group, or application is deleted in Azure AD or Okta, the corresponding SAM records are deleted during the next scheduled job run.
    • If a user’s access to an application is revoked directly or through group removal in the identity provider portals, the associated subscription record is deleted upon the next synchronization.

    You can view information about the Single Sign-On (SSO) applications, SSO users, and SSO groups that are associated with your SSO integrations.

    Important:
    You can view information about your SSO applications, users, and groups in both the Software Asset Management Core UI and Software Asset Workspace. The following sections provide details on viewing this information in the Software Asset Management classic application. For details on viewing this information in the Software Asset Workspace, see License operations view.

    Viewing SSO integration information

    To view the applications, users, and groups for an SSO integration, navigate to All > SaaS License > Administration > SSO Integration Profiles and then select a profile. The related lists provide information about the integration.
    Table 1. SSO Integration Profile related lists
    List Description
    SSO Applications All SSO applications.
    Directory Users All SSO users.
    Directory Groups All SSO groups.
    Scheduled Jobs SAM - SSO <sso-provider> download applications scheduled job that downloads all SSO apps. The job runs when the SSO integration profile is published, and then runs daily.

    The SAM - SSO <sso-provider> update connected applications scheduled job downloads users, groups, and subscriptions for SSO apps. The job runs daily and whenever an app is connected.
    Scheduled Job Results Status of the scheduled jobs.
    Directory Jobs

    The <sso-provider> - Download Group Membership directory job that downloads group memberships for all users. The job runs when the SSO integration profile is published, and then runs daily.

    The <sso-provider> - Download Users directory job downloads all users. The job runs when the SSO integration profile is published, and then runs daily.

    The <sso-provider> - Download Groups directory job downloads all groups for all users. The job runs when the SSO integration profile is published, and then runs daily.

    Note:
    On upgrading to Microsoft Entra ID spoke 4.3 version, the Microsoft Azure AD - Download Group Membership directory job won’t be executed for existing Microsoft Entra ID SSO or Directory integrations. This directory job also won’t be created for new Microsoft Entra ID SSO or Directory integrations. Instead, the Microsoft Azure AD - Download Groups directory job downloads all groups and group memberships configured on Microsoft Entra ID.
    Directory Job Results Status of the directory jobs.

    Viewing SSO application information

    To view the users, groups, and reclamation candidates for an application, navigate to All > SaaS License > SSO Applications and select an application. The related lists show information for the application. For viewing the SSO application information in Software Asset Workspace, see View SSO applications in workspace.

    Table 2. SSO Applications related list
    List Description
    SSO Application Users All users that have direct access to the application, but not through membership in a group.
    SSO Application Groups All groups that have access to the application.
    SSO Subscriptions Total number of subscriptions for the application. A user may have both direct access to an app and have access through a group. But the user's access counts as only one subscription so as only one record in the SSO Subscriptions list.
    Note:
    • Add the SSO application role column to see how the user is granted access to the application. If the value is a group, then the user has access through membership in that group. If the value is the user's name, then the user has direct access to the application. User subscriptions can't be reclaimed in Software Asset Management if the user has access to the application through a group membership. To reclaim the subscription, remove the user from the group in the Azure AD portal and set the reclamation candidate state to Closed Complete.
    • When SSO subscriptions are created through SSO application groups, the Subscription assigned value is empty. When the subscriptions are created through SSO Application Users, the Subscription assigned value shows the date of when the subscription is assigned to the user. After you upgrade to the Software Asset Management - SaaS License Management 13.1.0 version or later, the existing Subscription assigned values for the subscriptions that were created through SSO application groups turns empty.
    Reclamation Candidates Subscriptions that don't meet the usage requirements that are defined by the reclamation rule for the application.
    SSO Group Software Model Mappings SSO groups that are mapped to specific software models for managing licenses at the group level.

    Data synchronization with SSO providers

    If you delete a user, group, or app in the Azure AD portal or in the Okta Developer Console, then the corresponding records in Software Asset Management are deleted when the daily scheduled jobs run. If you revoke a user's access to an application in the Azure AD portal or in the Okta Developer Console, either directly or indirectly by removing them from a group, then the corresponding user subscription record is deleted when the daily scheduled jobs run.