To integrate Servicenow with Azure AD, you'll need to configure the Identity Provider (IdP) in Azure AD. This involves creating an Enterprise Application in Azure AD and then configuring the IdP settings.
First, navigate to the Azure AD portal and sign in with your credentials. Then, click on Enterprise Applications and select New Application.
Next, search for Servicenow in the search bar and select the application from the results. You can also manually enter the application details if you have them.
Now, click on the Servicenow application and click on the Configure button to begin the configuration process.
Azure Setup
To set up Azure AD integration with ServiceNow, you'll need to start by configuring Azure AD. This involves going to portal.azure.com and logging in with your credentials.
You'll then click on Azure Active Directory in the menu to your left. From there, you'll select "SAML-based Sign-on" and enter your instance URL in the "Sign on URL" and the "Identifier". Click on "Save" to save your changes.
In case your new certificate is in status "New", click the "Make new certificate active" checkbox and then click Save. If your certificate is already in status "Active", you can skip this step.
You'll also need to check the checkbox "Manually configure single sign-on" and scroll down to locate the "Quick Reference". Copy the "Azure AD Single Sign-On Service URL", the "Azure AD Sign Out URL", and the "Azure AD SAML Entity ID" as you'll need this information later.
Here are the steps to follow:
1. Go to portal.azure.com and login with your credentials.
2. Click on Azure Active Directory in the menu to your left.
3. Select "SAML-based Sign-on" and enter your instance URL in the "Sign on URL" and the "Identifier".
4. Click on "Save" to save your changes.
5. Check the checkbox "Manually configure single sign-on".
6. Scroll down to locate the "Quick Reference" and copy the necessary information.
By following these steps, you'll be well on your way to setting up Azure AD integration with ServiceNow.
User Provisioning
To configure user provisioning, you'll need to follow these steps:
In the Azure Management classic portal, click Configure user provisioning on the ServiceNow application integration page.
You'll then be asked to provide your ServiceNow credentials to enable automatic user provisioning. This includes:
- ServiceNow Instance Name: type the name of your ServiceNow instance.
- ServiceNow Admin User Name: type the name of your ServiceNow admin account.
- ServiceNow Admin Password: type the password for this account.
- Validate your configuration to ensure everything is correct.
If you want to provision all users to this application, select “Automatically provision all user accounts in the directory to this application”. Then, click Complete to save your configuration.
To test your configuration, you'll need to grant the Azure AD users you want to allow using your application access to it by assigning them.
To assign users to ServiceNow, you can follow these steps:
1. Go to the Azure Management classic portal and select the users you want to assign.
2. Click on the “Add user” button and select the users from the list.
3. Click on the “Assign” button to complete the assignment.
By following these steps, you can configure user provisioning and assign users to ServiceNow. This will enable automatic user provisioning and ensure that your users have access to the application.
It's worth noting that you can also use SCIM (System for Cross-domain Identity Management) to provision users. SCIM allows you to provision users based on conditions, such as to exclude generic or service accounts.
Prerequisites
To integrate ServiceNow with Azure AD, you'll need to meet some prerequisites. First and foremost, you'll need a Microsoft Entra subscription, which you can get for free if you don't already have one.
You'll also need a ServiceNow single sign-on (SSO) enabled subscription, which is a requirement for this integration to work. Make sure your ServiceNow instance or tenant supports one of the following versions: Calgary, Kingston, London, Madrid, New York, Orlando, Paris, or San Diego.
For ServiceNow Express, you'll need an instance of Helsinki version or later. Additionally, the ServiceNow tenant must have the Multiple Provider Single Sign On Plugin enabled. This plugin is crucial for the integration to work, so double-check that it's enabled.
To install the ServiceNow Agent (Mobile) application, head to the appropriate store and search for the ServiceNow Agent application. Once you've found it, download it to get started.
Implementation
To implement ServiceNow Azure AD integration, start by clicking "Configure single sign-on (Required)" under the "Quick start" section.
You'll need to have Azure Active Directory Premium Plan 1 to set this up.
In Azure, go to portal.azure.com and login with your credentials, then click on Azure Active Directory in the menu to your left.
To set up SAML-based Sign-on, select it and enter your instance URL in the "Sign on URL" and the "Identifier", then click on "Save".
Make sure your certificate is in status "Active" by clicking the "Make new certificate active" checkbox and then clicking Save.
You'll need to manually configure single sign-on by checking the checkbox "Manually configure single sign-on.
To test single sign-on, click on "Assign a user for testing (required)" and pick a user to add to the list.
To support both methods at the same time, you may need to have them created as two identity providers or use a more generic authentication class like "http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/unspecified".
Setup and Testing
To set up ServiceNow Azure AD integration, you'll need to navigate to portal.azure.com and log in with your credentials. Click on Azure Active Directory in the menu to your left.
First, select "SAML-based Sign-on" and enter your instance URL in the "Sign on URL" and the "Identifier". Click on "Save".
You'll also need to check the checkbox "Manually configure single sign-on. Scroll down and locate the "Quick Reference" to copy the necessary URLs.
Go back to the "Quick start" and click on "Assign a user for testing (required)". Pick a user that you wish to test with and add it to the list.
To test SSO, select the ServiceNow tile in the Access Panel, and you should be automatically signed in to the ServiceNow for which you set up SSO.
If you want to support both SAML and LDAPS methods at the same time, you may need to have them created as two identity providers or use a more generic authentication class.
Sources
- https://github.com/uglide/azure-content/blob/master/articles/active-directory/active-directory-saas-servicenow-tutorial.md
- https://www.servicenow.com/community/now-platform-articles/how-to-implement-azure-ad-sso-with-servicenow/ta-p/2305156
- https://www.servicenow.com/community/architect-forum/how-to-do-entra-azure-ad-user-provisioning-for-multiple-clients/m-p/2858581
- https://learn.microsoft.com/en-us/entra/identity/saas-apps/servicenow-tutorial
- https://mdleom.com/blog/2023/08/27/saml-scim/
Featured Images: pexels.com