Export (0) Print
Expand All

Tutorial: Azure AD integration with ServiceNow

Published: November 21, 2013

Updated: June 29, 2014

Applies To: Azure

TipTip
For feedback, click here.

For more information about this topic, see Best Practices for Managing the Application access enhancements for Windows Azure Active Directory.

The objective of this tutorial is to show the integration of Windows Azure and ServiceNow. The scenario outlined in this tutorial assumes that you already have the following items:

  • A valid Windows Azure subscription

  • A tenant in ServiceNow

The scenario outlined in this tutorial consists of the following building blocks:

  1. Enabling the application integration for ServiceNow

  2. Configuring user provisioning

  3. Configuring single sign-on

The objective of this section is to outline how to enable the application integration for ServiceNow.

  1. In the Windows Azure Management Portal, on the left navigation pane, click Active Directory.

    Active Directory
  2. From the Directory list, select the directory for which you want to enable directory integration.

  3. To open the applications view, in the directory view, click Applications in the top menu.

    Applications
  4. To open the Application Gallery, click Add An App, and then click Add an application for my organization to use.

    What do you want to do?
  5. In the search box, type Salesforce.

    ServiceNow
  6. In the results pane, select ServiceNow, and then click Complete to add the application.

    ServiceNow

The objective of this section is to outline how to enable user provisioning of Active Directory user accounts to ServiceNow.
As part of this procedure, you are required to provide a ServiceNow instance name.

The following screenshot shows an example of the related dialog in Windows Azure AD:

Configure User Provisioning

  1. In the Windows Azure Management Portal, on the ServiceNow application integration page, click Configure user provisioning to open the Configure User Provisioning dialog.

  2. On the Enter your ServiceNow credentials to enable automatic user provisioning page, provide the following configuration settings:

    1. In the ServiceNow Instance Name textbox, type the ServiceNow instance name.

    2. In the ServiceNow Admin User Name textbox, type the name of the ServiceNow admin account.

    3. In the ServiceNow Admin Password textbox, type the password for this account.

    4. Click validate to verify your configuration.

    5. Click the Next button to open the Next steps page.

    6. If you want to provision all users to this application, select “Automatically provision all user accounts in the directory to this application”.

      Next Steps
  3. On the Next steps page, click Complete to save your configuration.

If you haven’t selected Automatically provision all user accounts in the directory to this application” while configuring user provisioning, you can now create a test account, assign this account and wait for 10 minutes and verify that the account has been synchronized to ServiceNow.

The objective of this section is to outline how to enable users to authenticate to ServiceNow with their account in Windows Azure AD using federation based on the SAML protocol.
As part of this procedure, you are required to upload a certificate to ServiceNow.com.

The following screenshot shows an example of the related dialog in Windows Azure AD:

Configure single sign-on

ImportantImportant
In order to be able to configure single sign-on on your ServiceNow tenant, you need to contact first the ServiceNow technical support to get this feature enabled.

  1. In the Windows Azure AD portal, on the ServiceNow application integration page, click Configure single sign-on to open the Configure Single Sign On dialog.

  2. On the Select the single sign-on mode for this app page, select Users authenticate with their account in Windows Azure AD, and then click Next to open the Configure App URL page.

    Configure Single Sign On
  3. In the ServiceNow reply URL textbox, type the ServiceNow reply URL.
    The ServiceNow reply URL is a concatenation of your ServiceNow tenant URL and “/navpage.do”:
    https://<InstanceName>.service-now.com/navpage.do

    Servicenow instance homepage
  4. Click Download certificate, and then save the certificate file locally as c:\ServiceNow.cer.

    Configure single sign-on
  5. Right-click the certificate, and then select Open to open the Open File dialog

  6. Click Open to open the Certificate dialog.

  7. Click the Details tab.

  8. On the Details tab click Copy to File to open the Certificate Export Wizard.

  9. On the Welcome to the Certificate Export Wizard page, click Next.

  10. On the Export File Format dialog page, click Base-64 encoded X.509 (.CER), and then click Next.

  11. On the File to Export dialog page, in the File name textbox, type c:\ServiceNow64.cer.

  12. Click Next to open the Completing the Certificate Export Wizard dialog page.

  13. Click Finish to export the certificate.

  14. Click OK to close the Welcome to the Certificate Export Wizard.

  15. In your ServiceNow tenant, on the navigation bar at the left side, click Properties to open the SAML 2.0 Single Sign on properties page

  16. On the SAML 2.0 Single Sign-on properties page, perform the following steps:

    1. Select Yes as Enable external authentication.

    2. In The Identity Provider URL which will issue the SAML2 security token with user info textbox, type https://login.windows.net/<your tenant’s GUID>/.

    3. In The base URL to the Identity Provider’s AuthnRequest service textbox, type https://login.windows.net/<your tenant’s GUID>/saml2.

    4. In The base URL to the Identity Provider’s SingleLogoutRequest service textbox, type https://login.windows.net/<your tenant’s GUID>/saml2.

    5. In The protocol binding for the Identity Provider’s SingleLogoutRequest service, type urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect.

    6. Select Yes as Sign LogoutRequest.

    7. In the When SAML 2.0 single sign-on fails because the session is not authenticated, or this is the first login, redirect to this URL textbox, type https://login.windows.net/<your tenant’s GUID>/saml2.

  17. In the Service Provider (Service-Now) properties section, perform the following steps:

    1. In The URL to Service-now instance homepage textbox, type the URL to your ServiceNow instance homepage.
      The URL of the ServiceNow instance homepage is a concatenation of your ServiceNow tenant URL and “/navpage.do”:
      https://<InstanceName>.service-now.com/navpage.do

      Servicenow instance homepage
    2. In The entity identification, or the issuer textbox, type the URL of your tenant.

    3. In The audience uri that accepts SAML2 token textbox, type the URL of your tenant.

    4. In The User table field to match with the Subject’s NameID element in the SAMLResponse textbox, type user_name.

    5. In The NameID policy to use for returning the Subject’s NameID in the SAMLResponse textbox, type urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

    6. Select Yes for Create an AuthnContextClass request in the AuthnRequest statement.

    7. In The AuthnContextClassRef method that will be included in our SAML 2.0 AuthnRequest to the Identity Provider, type http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password.

  18. In the Advanced settings section perform the following steps:

    1. In The number in seconds before “notBefore” constraint, or after “notOnOrAfter” constraint to consider still valid textbox, type 60.

  19. To save the configuration, click Save.

  20. On the navigation bar at the left side, click Certificate to open the Certificate page.

  21. To upload your certificate, on the certificate page, perform the following steps:

    1. Click New.

    2. In the Name textbox, type SAML 2.0.

    3. Select Active,

    4. Select PEM as Format.

    5. In Notepad, open c:\ServiceNow64.cer, and then copy the content of this file into the clipboard.

    6. Paste the content of your clipboard into PEM Certificate textbox.

    7. Click Submit.

  22. On the Windows Azure AD portal, click Complete to close the Configure Single Sign On dialog.

You can now go to the Access Panel and test single sign-on to ServiceNow.

See Also

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft