Export (0) Print
Expand All

Tutorial: Azure AD integration with ServiceNow

Published: November 21, 2013

Updated: December 4, 2014

Applies To: Azure

TipTip
For feedback, click here.

The objective of this tutorial is to show the integration of Azure and ServiceNow. The scenario outlined in this tutorial assumes that you already have the following items:

  • A valid Azure subscription

  • A tenant in ServiceNow

The scenario outlined in this tutorial consists of the following building blocks:

  1. Enabling the application integration for ServiceNow

  2. Configuring single sign-on

  3. Configuring user provisioning

  4. Assigning users

Scenario

The objective of this section is to outline how to enable the application integration for ServiceNow.

  1. In the Azure Management Portal, on the left navigation pane, click Active Directory.

    Active Directory
  2. From the Directory list, select the directory for which you want to enable directory integration.

  3. To open the applications view, in the directory view, click Applications in the top menu.

    Applications
  4. Click Add at the bottom of the page.

    Add application
  5. On the What do you want to do dialog, click Add an application from the gallery.

    Add an application from gallerry
  6. In the search box, type ServiceNow.

    ServiceNow
  7. In the results pane, select ServiceNow, and then click Complete to add the application.

    ServiceNow

The objective of this section is to outline how to enable users to authenticate to ServiceNow with their account in Azure AD using federation based on the SAML protocol.
As part of this procedure, you are required to upload a certificate to ServiceNow.com.

ImportantImportant
In order to be able to configure single sign-on on your ServiceNow tenant, you need to contact first the ServiceNow technical support to get this feature enabled.

  1. In the Azure AD portal, on the ServiceNow application integration page, click Configure single sign-on to open the Configure Single Sign On dialog.

    Configure single sign-on
  2. On the How would you like users to sign on to ServiceNow page, select Windows Azure AD Single Sign-On, and then click Next.

    Windows Azure AD Single Sign-on
  3. On the Configure App URL page, in the ServiceNow Sign In Url textbox, type your URL using the following pattern "https://<InstanceName>.servicenow.com", and then click Next.

    Configure app URL

  4. On the Configure single sign-on at ServiceNow dialog page, perform the following steps:

    Configure single sign-on

    1. Click Download certificate, and then save the certificate file locally as c:\ServiceNow.cer

    2. Right-click the certificate, and then select Open to open the Open File dialog.

    3. Click Open to open the Certificate dialog.

    4. Click the Details tab.

    5. On the Details tab, click Copy to File to open the Certificate Export Wizard.

    6. On the Welcome to the Certificate Export Wizard page, click Next.

    7. On the Export File Format dialog page, click Base-64 encoded X.509 (.CER), and then click Next.

    8. On the File to Export dialog page, in the File name textbox, type c:\ServiceNow64.cer.

    9. Click Next to open the Completing the Certificate Export Wizard dialog page.

    10. Click Finish to export the certificate.

    11. Click OK to close the Welcome to the Certificate Export Wizard.

  5. In your ServiceNow tenant, on the navigation bar at the left side, click Properties to open the SAML 2.0 Single Sign on properties page.

  6. On the SAML 2.0 Single Sign-on properties page, perform the following steps:

    1. Select Yes as Enable external authentication.

    2. In The Identity Provider URL which will issue the SAML2 security token with user info textbox, type https://login.windows.net/<your tenant’s GUID>/.

    3. In The base URL to the Identity Provider’s AuthnRequest service textbox, type https://login.windows.net/<your tenant’s GUID>/saml2.

    4. In The base URL to the Identity Provider’s SingleLogoutRequest service textbox, type https://login.windows.net/<your tenant’s GUID>/saml2.

    5. In The protocol binding for the Identity Provider’s SingleLogoutRequest service, type urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.

    6. Select Yes as Sign LogoutRequest.

    7. In the When SAML 2.0 single sign-on fails because the session is not authenticated, or this is the first login, redirect to this URL textbox, type https://login.windows.net/<your tenant’s GUID>/saml2.

  7. In the Service Provider (Service-Now) properties section, perform the following steps:

    1. In The URL to Service-now instance homepage textbox, type the URL to your ServiceNow instance homepage.
      The URL of the ServiceNow instance homepage is a concatenation of your ServiceNow tenant URL and “/navpage.do”:
      https://<InstanceName>.service-now.com/navpage.do

      Servicenow instance homepage
    2. In The entity identification, or the issuer textbox, type the URL of your tenant.

    3. In The audience uri that accepts SAML2 token textbox, type the URL of your tenant.

    4. In The User table field to match with the Subject’s NameID element in the SAMLResponse textbox, type user_name.

    5. In The NameID policy to use for returning the Subject’s NameID in the SAMLResponse textbox, type urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

    6. Leave Create an AuthnContextClass request in the AuthnRequest statement unchecked.

    7. In The AuthnContextClassRef method that will be included in our SAML 2.0 AuthnRequest to the Identity Provider, type http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password.

  8. In the Advanced settings section perform the following steps:

    1. In The number in seconds before “notBefore” constraint, or after “notOnOrAfter” constraint to consider still valid textbox, type 60.

  9. To save the configuration, click Save.

  10. On the navigation bar at the left side, click Certificate to open the Certificate page.

  11. To upload your certificate, on the certificate page, perform the following steps:

    1. Click New.

    2. In the Name textbox, type SAML 2.0.

    3. Select Active,

    4. Select PEM as Format.

    5. In Notepad, open c:\ServiceNow64.cer, and then copy the content of this file into the clipboard.

    6. Paste the content of your clipboard into PEM Certificate textbox.

    7. Click Submit.

  12. On the Azure AD portal, select the single sign-on configuration confirmation, and then click Complete to close the Configure Single Sign On dialog.

    Configure single sign-on at ServiceNow

The objective of this section is to outline how to enable user provisioning of Active Directory user accounts to ServiceNow.

  1. In the Azure Management Portal, on the ServiceNow application integration page, click Configure user provisioning to open the Configure User Provisioning dialog.

    User provisioning

  2. On the Enter your ServiceNow credentials to enable automatic user provisioning page, provide the following configuration settings:

    Configure User Provisioning

    1. In the ServiceNow Instance Name textbox, type the ServiceNow instance name.

    2. In the ServiceNow Admin User Name textbox, type the name of the ServiceNow admin account.

    3. In the ServiceNow Admin Password textbox, type the password for this account.

    4. Click validate to verify your configuration.

    5. Click the Next button to open the Next steps page.

    6. If you want to provision all users to this application, select “Automatically provision all user accounts in the directory to this application”.

      Next Steps
  3. On the Next steps page, click Complete to save your configuration.

To test your configuration, you need to grant the Azure AD users you want to allow using your application access to it by assigning them.

  1. In the Azure AD portal, create a test account.

  2. On the Servicenow application integration page, click Assign users.

    Assign users

  3. Select your test user, click Assign, and then click Yes to confirm your assignment.

    Yes

You should now wait for 10 minutes and verify that the account has been synchronized to Servicenow.

If you want to test your single sign-on settings, open the Access Panel. For more details about the Access Panel, see Introduction to the Access Panel.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft