The following steps highlight how to enable ADFS & Service-Now integration to support the following scenarios:
- Form based authentication when logging on from outside the company network
- Windows Integrated Authentication when logging on from inside the company network
Service-Now uses SAML 2.0 Web Browser SSO Profile to request for a federated logon to ADFS. In this process it specifies a SAML Authentication Context to use for the logon process.
This is specifying the authentication protocol ServiceNow prefers to use for authentication. To enforce windows authentication you would have provided:
However, in order to support both mechanisms depending on whether the user is internal or external; ServiceNow has to be configured to let ADFS make that decision.
SAML 2.0 Specification provides a
Comparision attribute that can be set on the
RequestedAuthenticationContext object which provides this capability for the Service Provider to make a recommendation on which authentication mechanism to use. However, the final decision is made by ADFS or any SAML 2.0 compliant STS.
For details here is a reference.
Values supported by ADFS:
Out of the box, ServiceNow sets this attribute this to
Exact which is what forces only one form of authentication.
If you are looking for flexible authentication mechanism then;
Look for the following line in the ServiceNow Script Object
and modify that to: