Join our webinar on Friday, April 28th: Make Routine Tasks Quick and Easy for HR and Employees  REGISTER NOW
Questions? Call us: 713.300.0523
Questions? Call us: 713.300.0523

Simplify federated external access to Service Now

The following steps highlight how to enable ADFS & Service-Now integration to support the following scenarios:

  • Form based authentication when logging on from outside the company network
  • Windows Integrated Authentication when logging on from inside the company network

Service-Now uses SAML 2.0 Web Browser SSO Profile to request for a federated logon to ADFS. In this process it specifies a SAML Authentication Context to use for the logon process.

 

authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport");

 

This is specifying the authentication protocol ServiceNow prefers to use for authentication. To enforce windows authentication you would have provided:

 

authnContextClassRef.setAuthnContextClassRef("urn:federation:authentication:windows");

 

However, in order to support both mechanisms depending on whether the user is internal or external; ServiceNow has to be configured to let ADFS make that decision.


SAML 2.0 Specification provides a Comparision attribute that can be set on the RequestedAuthenticationContext object which provides this capability for the Service Provider to make a recommendation on which authentication mechanism to use. However, the final decision is made by ADFS or any SAML 2.0 compliant STS.

For details here is a reference.


Values supported by ADFS:

  • Better
  • Exact
  • Maximum
  • Minimum

Out of the box, ServiceNow sets this attribute this to Exact which is what forces only one form of authentication. 

If you are looking for flexible authentication mechanism then;

Look for the following line in the ServiceNow Script Object

 

requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.EXACT);

 

and modify that to:

 

requestedAuthnContext.setComparison(AuthnContextComparisonTypeEnumeration.MINIMUM);

 

Topics: Business Applications

Subscribe

You might like these too

Are we living in a connec...

 

FIM service database usag...

The following script could be helpful in determining the current usage of the database for...

Installation of AD FS 2.0...

Federation Proxy is required to service federated authentication requests when the user is...