ServiceNow

Before You Begin

Introduction

This document describes how to configure Oracle Identity Cloud Service to provide Single Sign-On (SSO) and user provisioning for ServiceNow.

About ServiceNow

ServiceNow is a Software-as-a-Service (SaaS) solution used for providing service management for every department in the enterprise including IT, human resources, facilities, field service, and more.

After integrating ServiceNow with Oracle Identity Cloud Service:

• Users can access ServiceNow using their Oracle Identity Cloud Service login credentials.
• Users can launch ServiceNow using the Oracle Identity Cloud Service My Apps console.
• Admins can assign and revoke user access to the ServiceNow app using the Oracle Identity Cloud Service administration console.

What Do You Need?

• An Oracle Identity Cloud Service account with authorization rights to manage apps and users (Identity Domain Administrator or Application Administrator).
• A ServiceNow account with authorization rights to configure federated authentication and user provisioning.
• Make sure that the Username of each user in ServiceNow matches the Username of the Oracle Identity Cloud Service account.

Obtaining Tenant, IDCS Domain, and Instance ID

A dedicated Tenant, IDCS domain, and Instance ID are required before you can register and activate the ServiceNow app.

1. The tenant and IDCS Domain values appear in the Oracle Identity Cloud Service My Profile console URL: https://<IDCS_Service_Instance>.<identity.oraclecloud.com>/ui/v1/myconsole.

   Note: Use the value entered for <IDCS_Service_Instance> as Tenant, and the value entered for <identity.oraclecloud.com> as IDCS Domain during ServiceNow registration in the "Registering and Activating the ServiceNow App" section.

2. Access ServiceNow as an administrator using the URL: https://developer.servicenow.com/. The ServiceNow developers home page appears.

3. Under the My Instance section, make note of the instance ID value from the URL field: https://<Instance_ID>.service-now.com/.

   Note: Use the instance ID value while registering and activating the ServiceNow app in Oracle Identity Cloud Service. See the "Registering and Activating the ServiceNow App" section.

Configuring ServiceNow in Oracle Identity Cloud Service

Use this section to register and activate ServiceNow, and to enable provisioning and synchronization for ServiceNow.

Registering and Activating the ServiceNow App

1. Access the Oracle Identity Cloud Service administration console, select Applications, and then click Add.

2. Click App Catalog.

3. Search for ServiceNow, and then click Add.

4. In the App Details section, enter your ServiceNow Instance ID, Tenant, and IDCS Domain, and then click Next.

   Note: These are the values that you obtained while performing the steps in the "Obtaining Tenant, IDCS Domain, and Instance ID" section.

5. Click Download Identity Provider Metadata. To learn about other methods you can use to access SAML metadata, see Access SAML Metadata.

   Tip: Use this file later during the ServiceNow configuration in the "Configuring SSO" section.

6. Click Next. Oracle Identity Cloud Service displays the Provisioning page.

Enabling Provisioning and Synchronization for ServiceNow

Use this section to enable provisioning and synchronization for managing user accounts in ServiceNow through Oracle Identity Cloud Service.

Enabling Provisioning

1. On the Provisioning page, select Enable Provisioning.

2. Enter the Administrator Username and Administrator Password.

3. Click Test Connectivity. A success message is displayed stating that the connection is successful.

4. To view predefined attribute mappings between the user account fields defined in ServiceNow and the corresponding fields defined in Oracle Identity Cloud Service, click Attribute Mapping, and then click OK.

   Note: To add a new attribute for provisioning, click Add Row, specify the attributes in the User and ServiceNow Account columns, and then click OK. For example, if you want to add the External ID field, enter $(user.externalId) in the User column, and then select the corresponding field from the drop-down list in the ServiceNow Account column.

5. Specify the provisioning operations that you want to enable for ServiceNow:

   Note: By default, the Create Account, Update Account, De-activate Account, and Delete Account check boxes are selected.

   Create Account: Automatically creates a ServiceNow account when ServiceNow access is granted to the corresponding user in Oracle Identity Cloud Service.

   Update Account: Automatically updates a ServiceNow account when the corresponding user account is edited in Oracle Identity Cloud Service.

   De-activate Account: Automatically deactivates or activates a ServiceNow account when the ServiceNow access is deactivated or activated for the corresponding user in Oracle Identity Cloud Service.

   Delete Account: Automatically removes an account from ServiceNow when ServiceNow access is revoked from the corresponding user in Oracle Identity Cloud Service.

Enabling Synchronization

1. On the Provisioning page, select Enable Synchronization.

2. From the User Identifier drop-down list, select the Oracle Identity Cloud Service user attribute that you want to match with the corresponding record fetched from ServiceNow:

   Note: By default, the User Name option is selected from the drop-down list. It is recommended to leave this default attribute for accurate synchronization of user records.

   Primary Email Address: Primary email address of the Oracle Identity Cloud Service user.

   User Name: User name of the Oracle Identity Cloud Service user.

3. To match a ServiceNow account attribute with the existing Oracle Identity Cloud Service user, select an attribute from the Application Identifier drop-down list.

    Note: By default, the name option is selected that represents the Email attribute of the ServiceNow account. It is recommended not to change this default option.    

1. From the When exact match is found drop-down list, select one of the following actions to be performed when a matching Oracle Identity Cloud Service user is found for an account:

   Link and confirm: Automatically links and confirms the matched account to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. 

   Link but do not confirm: Automatically links all the matched accounts to the corresponding Oracle Identity Cloud Service users based on the defined User Identifier and Application Identifier fields. You need to manually confirm the linked accounts. 

2. In the Max. number of creates field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be created during the synchronization run.

3. In the Max. number of deletes field, enter a number that is greater than or equal to 10. This value limits the number of accounts to be deleted during the synchronization run.

   After enabling provisioning and synchronization for ServiceNow, you can synchronize the existing account details from ServiceNow and link them to the corresponding Oracle Identity Cloud Service users. For more information on performing synchronization tasks, see the Importing User Accounts from a Software as a Service Application section in Administering Oracle Identity Cloud Service.

   You can also manage ServiceNow accounts through Oracle Identity Cloud Service. For more information on performing provisioning tasks, see the Managing Oracle Identity Cloud Service Users and Managing Oracle Identity Cloud Service Groups sections in Administering Oracle Identity Cloud Service.

4. Click Finish, and Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Configuring SSO for ServiceNow

Use this section to install and activate the plugins, and then configure SSO for ServiceNow.

Installing and Activating a Plugin for ServiceNow

1. Access ServiceNow as an administrator using the URL: https://<Instance_ID>.service-now.com/. The ServiceNow home page appears.

2. In the left navigation menu, search and click Plugins under System Definition.

   

3. On the System Plugins page, search and select Integration - Multiple Provider Single Sign-On Installer.

   

4. On the System Plugin Integration - Multiple Provider Single Sign-On Installer page, under the Related Links section, click the Activate/Upgrade link. The Activate Plugin dialog box appears.

5. Click Activate. The plugin gets activated and the Plugin Activation Success dialog box appears.

6. Click Close & Reload Form on the Plugin Activation dialog box.

Configuring SSO

1. In the left navigation menu, search for Multi-Provider SSO, locate and click Properties under Administration. The Multiple Provider SSO Properties page appears.

2. Select the Enable multiple provider SSO, Enable Auto Importing of users from all identity providers into the user table, and Enable debug logging for the multiple provider SSO integration check boxes, and then click Save. A message is displayed stating that the properties are updated.

   

3. In the left navigation menu, click Identity Providers under Multi-Provider SSO. The Identity Providers page appears.

4. Click New. The Identity Providers page displays the What kind of SSO are you trying to create? section.

   

5. Click SAML. The Import Identity Provider Metadata dialog box appears.

6. Select the XML option, paste the Oracle Identity Cloud Service metadata, and then click Import.

   Note: This is the metadata file downloaded while performing the steps in the "Registering and Activating the ServiceNow App" section.

7. On the Identity Provider page, locate and replace the NameID Policy value with the following: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

8. Locate and click the User Provisioning tab, and select the Auto Provisioning User check box.

   Note: When the Auto Provisioning User check box is not selected, make sure that the Username of each user in ServiceNow matches the Username of the corresponding Oracle Identity Cloud Service account.

9. Click the Advanced tab, and enter user_name in the User Field text box.

10. Select the Create AuthnContextClass check box.

11. In the upper-right corner, click Test Connection. A new pop-up window appears and you are redirected to the Oracle Identity Cloud Service login page.

12. Log in using credentials for a user that is assigned to the ServiceNow app. A list of success validation messages appear.

13. Locate and click Activate. You are redirected to the ServiceNow Identity Providers page.

Verifying the Integration

Use this section to verify that SSO works when initiated from Oracle Identity Cloud Service (IdP initiated SSO) and SLO works when initiated from ServiceNow (SP initiated SLO).

Verifying Identity Provider Initiated SSO from Oracle Identity Cloud Service

1. Access the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

2. Log in using credentials for a user that is assigned to the ServiceNow app. Oracle Identity Cloud Service displays a shortcut to ServiceNow under My Apps.

3. Click ServiceNow. The ServiceNow home page appears.

4. In the upper-right corner of the ServiceNow home page, confirm that the user that is logged in is the same for both ServiceNow and Oracle Identity Cloud Service.

   This confirms that SSO that is initiated from Oracle Identity Cloud Service works.

Verifying Single Log-Out (SLO) from ServiceNow

1. Access the Oracle Identity Cloud Service My Profile console using the URL: https://<IDCS-Service-Instance>.identity.oraclecloud.com/ui/v1/myconsole.

2. Log in using credentials for a user that is assigned to the ServiceNow app. Oracle Identity Cloud Service displays a shortcut to ServiceNow under My Apps.

3. Click ServiceNow. The ServiceNow home page appears.

4. On the ServiceNow home page, click the user name on the upper-right corner, and then select Logout from the drop-down list. A success message appears.

   Note: If the user has already logged in to Oracle Identity Cloud Service My Profile console in the browser, that session is logged out, and then the Oracle Identity Cloud Service login page appears.

   This confirms that SLO that is initiated from ServiceNow works.

Troubleshooting

Use this section to locate solutions to common integration issues.

Known Issues

ServiceNow displays the message, "User: <User_name> not found"

Cause: The user name attribute sent by Oracle Identity Cloud Service during SSO doesn't match any existing user in ServiceNow.

Solution: Ensure that the user that you assign to the ServiceNow app has an account in both Oracle Identity Cloud Service and ServiceNow with the same user name. Alternatively, enable the Auto Provisioning User check box under the User Provisioning tab of the Identity Provider page in ServiceNow.

Oracle Identity Cloud Service displays the message, "You are not authorized to access the app. Contact your system administrator."

Cause 1: The SAML 2.0 integration between the Oracle Identity Cloud Service ServiceNow app and ServiceNow is deactivated.

Solution 1:

• Access the Oracle Identity Cloud Service administration console, select Applications, and then select ServiceNow.
• In the App Details section, click Activate, and then click Activate Application. Oracle Identity Cloud Service displays a confirmation message.

Cause 2: The administrator revokes access for the user at the same time that the user tries to access the ServiceNow app using Oracle Identity Cloud Service.

Solution 2:

• Access the Oracle Identity Cloud Service administration console, select Applications, and then select ServiceNow.
• In the App Details section, select Users, and then click Assign to re-assign the user.

Unknown Issues

For unknown issues, contact Oracle Support:

1. Go to https://support.oracle.com.

2. Select Cloud Support, and then sign in with your support credentials.

3. In the Cloud Dashboard, confirm that there are no planned outages in Oracle Identity Cloud Service, and then click Create Service Request.

4. Select Oracle Identity Cloud Service as the service type.

5. Complete your service request.