What is SAML
SAML (Security Assertion Markup Language) is an XML-based standard for web browser single sign-on (SSO) that eliminates application-specific passwords. SAML uses single-use, expiring, digital ‘tokens’ to exchange authentication and authorization data between an identity provider and cloud application service provider that have an established trust relationship.
Single sign on (SSO) Authentication
One has developed an application at instance A and now wants the new deployment at instance B to use the same login information as the other domain. In fact, want more: want users who are already logged-in at instance A to be already logged-in at instance B. This is what SSO is all about.
OKTA
Okta provides SSO access to any applications that are deployed on cloud or On-premise as well as supports mobile applications too. After signing in to Okta, The applications can continue with the actual functions without having to worry about authentication.
How SAML Works
SAML for Web browser SSO involves three parties. There is a user, an identity provider (IdP), and a cloud application service provider (SP) i.e. SNOW. The IdP stores information about the user in a database like Active Directory. The user connects to the SP and attempts to authenticate. Once the username validation is successfully done on SP, the authentication process is delegated to IdP. The IdP then authenticates the user using the existing identity database. IdP sends the response in the form of a SAML assertion containing the details of the user to the service provider. After processing the response and verifying the content, The user is provided the relevant access to the application.
Okta Integration with ServiceNow
Set up SAML Application in Okta
- Login to the Okta organization as a user with administrative privileges.
- Click on the “Admin” option.
- Click on “Add Application” then click on “Create New” App button.
- In the new dialog, select the “SAML 2.0” option, then click the “Create” button.
- In “General Settings”, enter name of the application in the “App name” field, then click the “Next” button.
- In “Configure SAML” under “SAML Settings”, provide the ServiceNow instance URL below under “Single sign on URL” field.
- Uncheck “Use this for Recipient URL and Destination URL” and give the “Recipient URL” and “Destination URL” as below:
- In the ‘Attribute Statements’ section, add three attribute statements
- ‘FirstName’ set to ‘user.firstName’
- ‘LastName’ set to ‘user.lastName
- ‘Email’ set to ‘user.email’
- Click Next to continue.
- In “Feedback”, two attributes are presented to the user for selection viz.
- For “Are you a customer or partner” > Select “I’m an Okta customer adding an internal app” for, and
- For App type, mark the option as checked (“This is an internal app that we have created”).
- Click Finish.
- The ‘Sign On’ section of your newly created ‘Okta ServiceNow’ application appears. Click on ‘View Setup Instruction’.
- Keep this page open in a separate tab or browser window. You will return to this page later in this guide and copy the XML from ‘Provide the following IDP metadata to your SP provider’.
- Right-click on the ‘Assignments’ section of the ‘Okta ServiceNow’ application and select ‘Open Link In New Tab’ (so that you can come back to the ‘Sign On’ section later).
-
- Click on the ‘Assign’ > ‘Assign to People’.
- Pop-up appears with title ‘Assign Example SAML Application to People’ will open.
- Search for the username.
- Click ‘Assign’ button next to the user entry in the search result list.
- Verify details of the user to confirm.
- Click ‘Save and Go Back’.
- Click ‘Done’.
- Next Step is to configure SAML in ServiceNow.
The information in the separate tab opened earlier contains the XML Metadata which will be required to configure SAML in ServiceNow.
Configuring SAML with the Multi-Provider SSO Plugin
- Login to ServiceNow using System Administrator credentials.
- Plugin Integration – Multiple Provider Single Sign-On Installer needs to be activated first, follow the following steps:
- Navigate to System Definitions > Plugins.
- Search for Integration – Multiple Provider Single Sign-On Installer using the search bar
- Select the plugin entry, Right-click and select Activate/Upgrade from the context menu.
- With this, Multiple Provider Single Sign-On plugin is configured successfully.Configure Single Sign-On settings for use in ServiceNow
- Navigate to Multi-Provider SSO Configuration form using the Filter navigator.
- Select Identity Providers option under the listed modules.
- Click SAML 2 Update1
- Click on Import IDP Metadata.
- Click on XML and provide the XML Data generated during the SAML application configuration in Okta.
- After importing the XML it will create X.509 Certificate and auto-populate the required fields.
- You have to fill the Instance details like ‘ServiceNow Homepage’,’ Entity ID / Issuer’ and ‘Audience URI’ on below fields as provided:
- In Advanced tab give the ‘User Field’= user_name.
- Click Save.
- Navigate to Multi-Provider SSO > Administration > Properties from the filter navigator.
- Mark the checkbox for the field Enable multiple provider SSO.
- Click Save to save the configuration.
ServiceNow User Configuration with Okta SSO
- Navigate to the Users form using the Filter Navigator.
- Select any user entry and drill down to user details.
- Click the menu button, select Configure > Form Design.
- Select and drag the SSO Source field to the User table.
- Save the form design and close the tab.
- Navigate back to the User form on the previous tab.
- Select the user entry and drill down to the user details.
- In the SSO Source field, type sso: <>, sys_id provided by the Identity Provider created using the Multi-Provider SSO plugin.
- Click Update.
- Navigate to Multi-Provider SSO> Identity Provider using filter navigator.
- Click on Test Connection Give the Credential of Okta then Sign-In then click on Activate button. It will activate the Identity Provider available.
- If Test Connection gives error, then then IDP will not be activated.
Testing:
- Test with the Okta account generated earlier e.g.,
- Click on created ’Okta ServiceNow’ application, It will Re-direct to your ServiceNow Instance.
Your users can now begin using SP-Initiated SAML with ServiceNow in two ways:
- Using the Use external login option provided on the ServiceNow login page which redirects to Okta for SSO authentication.
- OR, A URL can be generated like https://[ServiceNowInstance]/login_with_sso.do?glide_sso_id=<> using the sys_id provided by the IdP.
- This being an exception as the value is not available to the users directly, is not used as standard.
Being confident that this blog will help you to SAML 2.0 SSO Authentication with Okta and ServiceNow, any comments\suggestions are most welcome.
We have posted further blogs as well on other topics and will frequently come back with something innovative