Installation exits

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Installation exits

    Installation exits in ServiceNow are custom scripts that bridge Java and scripting environments, allowing you to execute custom logic during key system events such as login, logout, authentication, and password validation. These exits enable you to customize core behaviors without modifying underlying Java code. Access to configure installation exits requires the Admin role.

    Show full answer Show less

    Key Features

    • Predefined Installation Exits: ServiceNow provides several built-in exits including Login, Logout, LogoutRedirect, ExternalAuthentication, DigestSingleSignOn, PGPSingleSignOn, ValidatePassword, ValidatePasswordStronger, and GetIntegrationSessionTimeout.
    • Reserved Names: Some exit names (Login, Logout, ValidatePassword, ExternalAuthentication) are reserved and cannot be renamed, but their scripts can be customized by overriding the default logic.
    • Authentication Customization: You can customize how users authenticate, including standard username/password, header-based, or encrypted single sign-on methods.
    • Password Validation: Allows defining custom password rules or using predefined stronger validation criteria.
    • Session Timeout Control: Installation exits can be scripted to dynamically set session timeout values during login based on user identity or other factors such as IP address.

    Practical Application Examples

    • Per-User Session Timeout: You can configure the Login exit to set specific session timeout durations for certain users—for example, setting a 30-second timeout for the "admin" user.
    • IP-Based Session Timeout: Customize session timeout based on the client IP address during login, such as extending session duration for users connecting from a trusted IP range.

    The provided example scripts demonstrate how to implement these customizations by overriding the process method in the Login installation exit, performing authentication, and then adjusting session parameters accordingly.

    Benefits for ServiceNow Customers

    • Allows tailoring authentication and session behaviors to meet organizational security policies.
    • Enables enhanced control over user experience during login and logout processes.
    • Facilitates integration with external authentication mechanisms and custom password policies.
    • Helps improve security by enforcing context-aware session management.

    Installation exits are customizations that exit from Java to call a script before returning back to Java.

    Note:
    Functionality described here requires the Admin role.

    Available installation exits

    Navigate to System Definition > Installation Exits. Some installation exit names (Login, Logout, ValidatePassword, ExternalAuthentication) are reserved and cannot be changed. Other installation exits can override these with custom script that replaces the script in the default installation exit.

    The following installation exits are available in the base system:

    Installation Exit Description
    Login Takes a username and password pair and authenticates with the user object
    Logout Takes the user to the welcome page upon signing out; can be overridden by LogoutRedirect
    LogoutRedirect Takes the user to a specified URL upon signing out
    ExternalAuthentication Authenticates using header, parameter, or cookie; can be overridden by DigestSingleSignOn and PGPSingleSignOn
    DigestSingleSignOn Authenticates using header, parameter, or cookie and decrypts Digest encryption
    PGPSingleSignOn Authenticates using header, parameter, or cookie and decrypts PGP encryption
    ValidatePassword Active by default, starting with the Helsinki release; allows customers to define their own password validation; can be overridden by ValidatePasswordStronger
    ValidatePasswordStronger Requires passwords be at least 8 characters long and contain a digit, an uppercase letter, and a lowercase letter
    GetIntegrationSessionTimeout Implements the default integration session timeout behavior.

    Login modifications

    The following modification to the Login installation exit sets each user's session timeout value as the user is logging in. In this particular example, if the user name is admin, the session is set to timeout in 30 seconds.

    gs.include("PrototypeServer");
 
var Login = Class.create();
Login.prototype = {
	initialize : function() {
	},
 
        process : function() {
          // the request is passed in as a global
          var userName = request.getParameter("user_name");
          var userPassword = request.getParameter("user_password");
 
          var authed = GlideUser.authenticate(userName, userPassword);
          if (authed) {
             // ***********************************************************        
             // customization - if the userName == admin, set the session
             // timeout to be 30 seconds. You can implement your own  
             // session timeout algorithm here by checking to see if a user
             // belongs to a certain group or has a certain role.
             // Values of setMaxInactiveInterval exceeding 1440 minutes are
             // treated as one day (1440 minutes).
  
           if (userName == "admin") {
               request.getSession().setMaxInactiveInterval(30);
             }
             // ************************************************************
             return GlideUser.getUser(userName);
          }
 
          this.loginFailed();
 
          return "login.failed";
        },
 
        loginFailed : function() {
          var message = GlideSysMessage.format("login_invalid");
          var gSession = GlideSession.get();
          gSession.addErrorMessage(message);
 
          var userName = request.getParameter("user_name");
          EventManager.queue("login.failed", "", userName, "");
       }
 
}

    Session timeout can also be set according to IP address.

    gs.include("PrototypeServer");
 
var Login = Class.create();
Login.prototype = {
	initialize : function() {
	},
 
        process : function() {
          // the request is passed in as a global
          var userName = request.getParameter("user_name");
          var userPassword = request.getParameter("user_password");
 
          var authed = GlideUser.authenticate(userName, userPassword);
          if (authed) {
 
          // **************************************************************
          // customization - if the user is logging in from a particular IP
          // range starting with XXX.XXX you can implement your own
          // session timeout algorithm here by checking the login IP
          // 
          // Values of setMaxInactiveInterval exceeding 1440 minutes are
          // treated as one day (1440 minutes).
 
          var clientIP = gs.getSession().getClientIP().toString();

          // if client IP starts with specified range
          if (clientIP.indexOf('XXX.XXX') == 0) {  
             // set to 10 hours
             request.getSession().setMaxInactiveInterval(60 * 60 * 10); 
          }
          // ***************************************************************
 
             return GlideUser.getUser(userName);
          }
 
          this.loginFailed();
 
          return "login.failed";
        },
 
        loginFailed : function() {
          var message = GlideSysMessage.format("login_invalid");
          var gSession = GlideSession.get();
          gSession.addErrorMessage(message);
 
          var userName = request.getParameter("user_name");
          EventManager.queue("login.failed", "", userName, "");
       }
 
}