Authentication release notes

  • Release version: Zurich
  • Updated July 31, 2025
  • 4 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Authentication release notes

    The ServiceNow® Authentication application in the Zurich release introduces advanced authentication mechanisms to validate user identities securely. Enhancements focus on multi-factor authentication (MFA), OAuth integrations, AI voice service authentication, and improved user experience for login and security management.

    Show full answer Show less

    Key Features

    • Knowledge-Based Authentication (KBA) for AI Voice Service: Supports Email OTP as a standalone or secondary factor, auto-populates voice service mappings, and allows authentication prompts at call start.
    • OAuth Enhancements: Offers options for Opaque or JWT tokens, scoped API access controls for inbound integrations, and resource parameter configurations for outbound integrations to improve token requests and monitoring.
    • Inbound Integration Management: Introduces the Machine Identity Console for simplified inbound integration configuration and the ability to assign provider names to distinguish integrations, enhancing monitoring and management.
    • Multi-factor Authentication (MFA) Improvements: Includes a new MFA Dashboard to monitor user enrollment and compliance, an MFA Guided Setup to assist administrators in enabling MFA for users, and enforcement of FIDO2 hardware or biometric second-factor authentication.
    • Enhanced Single Sign-On (SSO) Experience: Displays active SAML and OIDC Identity Providers on login pages, supports group assignment during auto-provisioning, uses shared well-known URLs for OIDC, and improves login/logout feedback and email notifications.
    • UI Enhancements: Introduces the Coral theme as default with brand-neutral illustrations and a dark mode option for portals, web, and mobile experiences.

    Key Outcomes

    • Improved Security: Stronger, multi-layered authentication options, including AI voice-based factors and hardware-backed FIDO2 authentication, enhance protection for users and privileged accounts.
    • Simplified Integration Management: Centralized inbound integration configuration through the Machine Identity Console streamlines setup and monitoring, reducing complexity and errors.
    • Enhanced User Experience: Clearer login/logout processes, group assignment automation, and customizable OAuth token handling provide a smoother, more secure authentication workflow.
    • Compliance and Monitoring: MFA Dashboard and guided setup tools help administrators ensure organization-wide MFA adoption and compliance with security policies.

    Deprecations

    The Zurich release deprecates legacy inbound integration configurations in favor of the new streamlined Machine Identity Console setup, including OAuth API endpoints for external clients and OIDC provider token verification.

    The ServiceNow® Authentication application supports many authentication mechanisms that enable you to validate the identity of users. Authentication was enhanced and updated in the Zurich release.

    Authentication highlights for the Zurich release

    Zurich Patch 4
    Authentication factors for AI voice service
    Enable caller access to AI voice agents by configuring the required identification and authentication factors.
    OAuth enhancements
    Following are the OAuth enhancements:
    • Use Opaque or JWT token option for your inbound integration endpoints.
    • Use the Allow access only to APIs in selected scope option to enable access to the APIs that are explicitly listed in the selected scopes for your inbound integrations.
    • Use the OAuth Entity Resource tab for outbound integrations to configure resource parameters so they flow into the OAuth token request and are reflected in the token from your OAuth provider.
    Zurich Patch 3
    Provider name for Inbound integrations
    Use the Provider name field to enter the details of your inbound integrations to distinguish between different inbound integrations on your ServiceNow AI Platform®. Update the Provider name in your API integrations to improve monitoring capabilities:
    • For OAuth integrations, update the provider name using the Provider name field. To know more, see OAuth inbound.
    • For Basic authentication integrations, update the Provider name in the integration registration form. To know more about the integration registration form, see View Inbound API Integration Usage dashboard.
    Zurich Patch 1
    OAuth token enhancement
    Use Opaque or JWT token option for your inbound integration endpoints.
    Zurich
    • Experience the new Inbound integration configuration in the Machine Identity Console.
    • Use the new MFA Dashboard to understand insights such as MFA user enrollment, privileged admins who haven't opted in to MFA, and compliance.
    • Use the FIDO factor policy to enforce FIDO-based authentication.
    • Use the enhanced SSO login and logout experience.
    • Configure the authentication policies to restrict access, reduce roles, or enforce MFA based on Identity Provider (IdP) attributes that are received from the OIDC response.

    See Authentication for more information.

    New in the Zurich release

    Machine Identity Console
    Manage your inbound integration with ServiceNow's Machine Identity Console. Inbound integration in Machine Identity Console provides a simplified configuration experience for your inbound integrations.
    Multi-factor Authentication dashboard
    Use the new MFA Dashboard to understand insights such as MFA user enrollment, privileged admins who haven't opted in to MFA, and compliance. You can verify that all users have MFA enabled for enhanced security with the help of the MFA Dashboard.
    Multi-factor Authentication Guided Setup
    Use the new MFA Guided setup to configure multi-factor Authentication (MFA) for users who currently log in to ServiceNow with only a user name and password. This update enhances security by guiding administrators through the MFA setup process and verifying that all users are protected with an additional layer of authentication.
    Identity Provider attributes for OpenID Connect
    Use the Identity Provider (IDP) Attributes received from the OIDC response from the Identity Provider as a filter criteria for authentication.

    UI changes

    Coral theme
    Coral is now the default theme for new portal, web, and mobile experiences with Next Experience or Core UI enabled. This theme provides a fresh look and feel, featuring brand-neutral illustrations to enhance your user experience. A dark theme option is available for web and mobile experiences.

    Changed in this release

    Enhanced SSO login and logout experience
    Use the enhanced SSO login and logout experience. Enhancement includes:
    • Display of active SAML and OIDC Identity Providers (IdPs) on the ServiceNow platform and portal login pages.
    • Assign users to specific groups during SAML and OIDC auto-provisioning.
    • Set up OIDC with the same well-known URL. The OIDC configurations can use the same well-known URL of the IdPs for multiple SSO records.
    • Display login failure reasons to the users who logged out of ServiceNow due to session expiry or other reasons. Use the login link on the external logout page to again log in to ServiceNow in case of successful logout.
    • Display of a generic error message for unsuccessful single log out.
    • Enhanced email notifications for SAML certificate and Encryption Key store update.
    FIDO2 as an MFA factor
    Use the FIDO factor policy to enforce FIDO (Hardware key or Biometric as second factor for authentication) as second factor authentication to users who attempt to log in to the instance.
    OAuth integrations
    Configure OAuth integration that includes the following enhancements:
    • You can provide a maximum client secret length up to 4096 characters to meet security requirements of the third-party systems.
    • You can provide a JSON Web Key Set (JWKS) URL to automatically manage and update the public key for JSON Web Tokens (JWT) signature validation.
    • You can request OAuth tokens using the JWT grant type signed with Elliptic Curve Digital Signature Algorithm (ES) signing algorithms, including ES256, ES384, and ES512, for inbound JSON Web Tokens (JWT). It also supports RS256, RS384, RS512, HS256, HS384, and HS512.
    • You can customize the JWT ID (JTI) claim name in both inbound OpenID Connect (OIDC) and JWT Bearer flows.

    Deprecations

    Due to the launch of new simplified inbound integration configuration in Machine Identity Console, the following inbound integrations configurations in the Application registry page are deprecated:
    • OAuth API endpoint for external clients
    • OAuth JWT API endpoint for external clients
    • OIDC provider to verify ID tokens

    Activation information

    Authentication is a ServiceNow AI Platform product that is active by default.

    Related ServiceNow applications and features

    Secure your instance
    Platform Security is built into all levels of the ServiceNow AI Platform. Implement the security features that are appropriate for your organization. Manage failed log in and encrypted password protection, access control rules, and audit logs.