User authentication for ServiceNow mobile apps

  • Release version: Zurich
  • Updated July 31, 2025
  • 1 minute to read

    • ServiceNow mobile apps support platform authentication using OAuth 2.0. Authentication mechanisms include multi provider SSO, MFA, LDAP, Local DB, and Digest.

    AppAuth authentication

    The ServiceNow mobile apps use a new authentication methodology called AppAuth. AppAuth uses an external mobile browser to log the user in. The following steps detail login using AppAuth.
    1. The client creates and records a secret named the code_verifier, and derives a transformed version t(code_verifier) (referred to as the code_challenge). This code_challenge is sent in the OAuth 2.0 Authorization Request along with the transformation method t_m.
    2. The Authorization Endpoint responds as usual but records t(code_verifier) and the transformation method.
    3. The client then sends the authorization code in the Access Token Request as usual but includes the code_verifier secret generated in the previous steps.
    4. The authorization server transforms code_verifier and compares it to t(code_verifier) from the previous steps. Access is denied if they are not equal.
    Figure 1. Abstract protocol flow
    Flow for the authentication process for logging in to a mobile app

    Single sign-on

    ServiceNow mobile apps require multi-provider single sign-on in order to use external authentication. The multi providers SSO plugin [com.snc.integration.sso.multi.installer] provides SAML authentication support. The login process (AppAuth) uses this plugin to redirect the user to the IDP (SAML provider) login page when using SAML.

    For more information on this plugin, see External single sign-on (SSO).

    For more information on configuring multi provider SSO, see Multi-Provider single sign-on (SSO).

    Multifactor authentication

    Users can access the instance via Multifactor Authentication using the MFA plugin [com.snc.integration.multifactor.authentication]. Users are directed to their login page after selecting their instance in a mobile app.

    Figure 2. Multifactor login page in the Mobile Agent app
    Multifactor login page in the Mobile Agent app.

    For details on configuring Multi-factor Authentication, see Multifactor authentication system properties

    LDAP

    Use LDAP authentication to access using LDAP credentials. The user sees the same login page as the local login (DB based) but the back end to the LDAP server deletes the authentication. For more information on LDAP configuration, see Lightweight Directory Access Protocol integration.

    Local DB

    The user name and password in the user record in the instance database.

    Not officially supported

    • Kerberos
    • Certificate-based authentication (AppAuth’s external browser may solve for some certificate based mechanisms)