What is SAML

SAML (Security Assertion Markup Language) is an XML-based standard for web browser single sign-on (SSO) that eliminates application-specific passwords. SAML uses single-use, expiring, digital ‘tokens’ to exchange authentication and authorization data between an identity provider and cloud application service provider that have an established trust relationship.

Single sign on (SSO) Authentication

One has developed an application at instance A and now wants the new deployment at instance B to use the same login information as the other domain. In fact, want more: want users who are already logged-in at instance A to be already logged-in at instance B. This is what SSO is all about.

OKTA

Okta provides SSO access to any applications that are deployed on cloud or On-premise as well as supports mobile applications too. After signing in to Okta, The applications can continue with the actual functions without having to worry about authentication.

How SAML Works

SAML for Web browser SSO involves three parties. There is a user, an identity provider (IdP), and a cloud application service provider (SP) i.e. ServiceNow. The IdP stores information about the user in a database like Active Directory. The user connects to the SP and attempts to authenticate. Once the username validation is successfully done on SP, the authentication process is delegated to IdP. The IdP then authenticates the user using the existing identity database. IdP sends the response in the form of a SAML assertion containing the details of the user to the service provider. After processing the response and verifying the content, The user is provided with the relevant access to the application.

SAML SSO Authentication in ServiceNow using Okta

Okta Integration with ServiceNow

  • For Demo purpose, Okta trial account is provisioned and used.
  • Register an account in Okta with below link – https://www.okta.com/free-trial

Set up SAML Application in Okta

  • Login to the Okta organization as a user with administrative privileges.
  • Click on the “Admin” option.
    SAML SSO Authentication
  • Click on “Add Application” then click on “Create New” App button.
  • In the new dialog, select the “SAML 2.0” option, then click the “Create” button.
    SAML SSO Authentication
  • In “General Settings”, enter name of the application in the “App name” field, then click the “Next” button.
    SAML SSO Authentication
  • In “Configure SAML” under “SAML Settings”, provide the ServiceNow instance URL below under “Single sign on URL”
    field.
  • Uncheck “Use this for Recipient URL and Destination URL” and give the “Recipient URL” and “Destination URL” as
    below:
    SAML SSO Authentication
  • In the ‘Attribute Statements’ section, add three attribute statements
    1. ‘FirstName’ set to ‘user.firstName’
    2. ‘LastName’ set to ‘user.lastName
    3. ‘Email’ set to ‘user.email’
      SAML SSO Authentication
  • Click Next to continue.
  • In “Feedback”, two attributes are presented to the user for selection viz.
    1. For “Are you a customer or partner” > Select “I’m an Okta customer adding an internal app” for, and
    2. For App type, mark the option as checked (“This is an internal app that we have created”).
  • Click Finish.
    SAML SSO Authentication
  • The ‘Sign On’ section of your newly created ‘Okta ServiceNow’ application appears. Click on ‘View Setup
    Instruction’.
    SAML SSO Authentication
  • Keep this page open in a separate tab or browser window. You will return to this page later in this guide and
    copy the XML from ‘Provide the following IDP metadata to your SP provider’.
    SAML SSO Authentication
  • Right-click on the ‘Assignments’ section of the ‘Okta ServiceNow’ application and select ‘Open Link In New Tab’
    (so that you can come back to the ‘Sign On’ section later).
  • Click on the ‘Assign’ > ‘Assign to People’.
    SAML SSO Authentication
  • Pop-up appears with title ‘Assign Example SAML Application to People’ will open.
  • Search for the username.
  • Click ‘Assign’ button next to the user entry in the search result list.
  • Verify details of the user to confirm.
  • Click ‘Save and Go Back’.
    SAML SSO Authentication
  • Click ‘Done’.
  • Next Step is to configure SAML in ServiceNow.
    The information in the separate tab opened earlier contains the XML Metadata which will be required to configure
    SAML in ServiceNow.

Configuring SAML with the Multi-Provider SSO Plugin

  • Login to ServiceNow using System Administrator credentials.
  • Plugin Integration – Multiple Provider Single Sign-On Installer needs to be activated first, follow the
    following steps:

    1. Navigate to System Definitions > Plugins.
    2. Search for Integration – Multiple Provider Single Sign-On Installer using the search bar
    3. Select the plugin entry, Right-click and select Activate/Upgrade from the context menu.
      SAML SSO Authentication
  • With this, Multiple Provider Single Sign-On plugin is configured successfully.Configure Single Sign-On settings
    for use in ServiceNow
  • Navigate to Multi-Provider SSO Configuration form using the Filter navigator.
  • Select Identity Providers option under the listed modules.
    SAML SSO Authentication
  • Click SAML 2 Update1
  • Click on Import IDP Metadata.
  • Click on XML and provide the XML Data generated during the SAML application configuration in Okta.
    SAML SSO Authentication
  • After importing the XML it will create X.509 Certificate and auto-populate the required fields.
    SAML SSO Authentication
  • You have to fill the Instance details like ‘ServiceNow Homepage’,’ Entity ID / Issuer’ and ‘Audience URI’ on
    below fields as provided:
    SAML SSO Authentication
  • In Advanced tab give the ‘User Field’= user_name.
    SAML SSO Authentication
  • Click Save.
    SAML SSO Authentication
  • Navigate to Multi-Provider SSO > Administration > Properties from the filter navigator.
  • Mark the checkbox for the field Enable multiple provider SSO.
    SAML SSO Authentication
  • Click Save to save the configuration.

ServiceNow User Configuration with Okta SSO

  • Navigate to the Users form using the Filter Navigator.
  • Select any user entry and drill down to user details.
  • Click the menu button, select Configure > Form Design.
  • Select and drag the SSO Source field to the User table.
  • Save the form design and close the tab.
  • Navigate back to the User form on the previous tab.
  • Select the user entry and drill down to the user details.
  • In the SSO Source field, type sso: <>, sys_id provided by the Identity Provider created using the Multi-Provider SSO plugin.
  • Click Update.
    SAML SSO Authentication
  • Navigate to Multi-Provider SSO> Identity Provider using filter navigator.
  • Click on Test Connection Give the Credential of Okta then Sign-In then click on Activate button. It will activate the Identity Provider available.
  • If Test Connection gives error, then then IDP will not be activated.

Testing:

  • Test with the Okta account generated earlier e.g.,
    SAML SSO Authentication
  • Click on created ’Okta ServiceNow’ application, It will Re-direct to your ServiceNow Instance.
    SAML SSO Authentication

Your users can now begin using SP-Initiated SAML with ServiceNow in two ways:

  • Using the Use external login option provided on the ServiceNow login page which redirects to Okta for SSO
    authentication.
    SAML SSO Authentication
  • OR, A URL can be generated like https://[ServiceNowInstance]/login_with_sso.do?glide_sso_id=<> using the
    sys_id provided by the IdP.

    • This being an exception as the value is not available to the users directly, is not used as standard.

Emergys Blog

Recent Articles

  • Suite on HANA Migration

    Effective & Efficient Suite on HANA Migration for a Global Automotive Brand

    Effective & Efficient Suite on HANA Migration for a Global Automotive Brand

    This success story explores effective and efficient SAP Suite on [...]

    This success story explores effective and efficient SAP Suite on HANA migration for a global automotive [...]

  • Agentic AI

    Agentic AI Helps Industrial Firm Transform Its RFP Response Process

    Agentic AI Helps Industrial Firm Transform Its RFP Response Process

    Creating RFP response content is a time-boxed process which [...]

    Creating RFP response content is a time-boxed process which places the RFP team under duress, [...]

  • SAP System with EHP8

    Maximize Efficiency and Future-Proof Your SAP System with EHP8

    Maximize Efficiency and Future-Proof Your SAP System with EHP8

    Organizations running on SAP ECC are increasingly challenged by [...]

    Organizations running on SAP ECC are increasingly challenged by rising maintenance costs, performance limitations, and [...]