With the rapid development of cloud computing in recent years, software produced as SaaS has started to enter our lives. The ServiceNow product is one of the most popular products that serve over the cloud and are used as IT service software recently. In this article, I will try to explain how you can use the Single SignOn feature for in-house Active Directory users by running Microsoft Azure Active Directory and ServiceNow together.
Our scenario will be as follows.
Picture-1
There are sample users as follows in my onderdeger.com domain structure that I use internally.
Picture-2
First of all, we need to configure local Active Directory and Microsoft Azure Active Directory to run together. Thanks to this configuration, our local user accounts will be placed on Azure Active Directory and our users will now be able to access applications configured as SaaS with their domain username and accounts. To be able to work together Microsoft Azure Active Directory Connector We download the application and install it on a DC or a separate server.
After completing the download, the Microsoft Azure Active Directory Connector configuration is as follows.
Let's continue after confirming the first screen Welcome screen.
Picture-3
In the Express Settings section, you can configure all the steps one by one by pressing the Customize button, or you can make a quick configuration with the Use Express Settings button. We continue with the Use Express Settings section.
Picture-4
In the Connect to Azure AD section, enter the username and password authorized in your Azure Active Directory account.
Picture-4
On the Connect to AD DS page, enter the Enterprise Administrator user and password in your local Active Directory.
Picture-5
After this section, we are now ready to configure. Let's start the configuration with the Install button.
Picture-6
After about 10 minutes, you will see the screen where you can see that your configuration has been successful. We can exit with the Exit button.
Picture-7
On the Azure management portal, go to the Azure Active Directory section and your Azure AD domain name (me in the example domain) onderdeger.onmicrosoft.com You can see your local users in the Users tab in the domain name.
Picture-8
After this section, if you wish, you can register your local domain name on Azure Active Directory. In fact, it is a process that must be done in order for the SSO process to work logically. for this https://azure.microsoft.com/en-us/documentation/articles/active-directory-add-domain/ You can access the information from the link.
After these processes, let's go to the Applications section in your Azure Active Directory domain name and start the integration with the ServiceNow application. On this screen, we continue by pressing the ADD button.
Picture-9
Click on the "Add an application from gallery" tab on the screen that comes up and come to the Gallery section, where there are applications that can work in integration with Azure Active Directory.
Picture-10
You can find the ServiceNow application in the Gallery section by searching. As I mentioned earlier in this section, you can find thousands of different cloud applications that can work integrated with Azure Active Directory.
Picture-11
After adding the ServiceNow application, a 3-step screen appears. It can start with Step 1, “Enable single-sign-on with Microsoft Azure AD”.
Picture-12
The first screen is about how users log in to the ServiceNow application. We continue by ticking the "Microsoft Azure AD Single-Sign-On" tab.
Picture-13
In the Configure App Setting section, we enter the Sign on URL of your ServiceNow application. Ex: https:// .service-now.com
Picture-14
On the Auto Configure Single Sign-on screen, you can specify the authorized user name and password for automatic login or manually configure it by going to the next screen.
Picture-15
By clicking the Download certificate button on the Configure single sign-on at ServiceNow screen, we save the incoming certificate somewhere on our computer.
Picture-16
After saving the certificate, without closing this screen, we open a new tab in our browser and connect to the ServiceNow Sign-On URL. After logging in with the authorized user name and password, we come to the Properties section from the Multi-Providor SSO tab.
Picture-17
In this section, we mark YES in the “Enable multiple provider SSO” section, and YES in the “Enable debug logging for the multiple provider SSO integration” section and save it.
Picture-18
Again, we select the x509 Certificate section from the Multi-Provider SSO section.
Picture-19
We continue with the NEW button in the opened section.
Picture-20
We open the previously downloaded certificate with notepad and copy the contents.
Picture-21
For the Name section, we write TestSAML2.0 as an example. We select PEM in the Format section, Trust Store Cert in the Type section and paste the certificate content that we copied into the PEM Certificate section. Save it with the Update button.
Picture-22
Again, we come to the Identity Providers tab from the Multi-Provider SSO section.
Picture-23
We continue with the NEW button.
Picture-24
SAML2 Update1? We choose the part.
Picture-25
From the section that opens, we make the following entries, respectively, and save.
- For example, we write SAML 2.0 in the Name section.
- Enter the email address in the User field.
- In the Identity Provider URL section, we enter the Identity Provider ID on the Azure AD portal.
- In the Identity Provider's AuthnRequest section, we enter the Authentication Request URL section on the Azure AD portal.
- In the Identity Provider's SingleLogoutRequest section, we enter the Single Sign-Out Service URL section on the Azure AD portal.
- In the ServiceNow Homepage section, we enter the address of your ServiceNow homepage.
- In the Entity ID /Issuer section, we enter the ServiceNow tenant URL.
- In the Audience URL section, we enter the ServiceNow tenant URL.
- In the Protocol Binding for the IDP's SingleLogoutRequest section, we write “urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect”.
- In the NameID Policy section "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified”
- We uncheck the Create an AuthnContextClass section.
- To the AuthnContextClassRef Method section http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password we are writing.
- We write 60 in the Clock Skew section.
- Single Sign On Script section We select MultiSSO_SAML2_Update1.
- In the x509 Certificate section, we select the certificate we created earlier.
- Save with the Submit button.
Picture-26
When we return to the Azure management portal, we continue by selecting the marked section in the picture.
Picture-27
On the last screen, we define an e-mail address for notifications and complete our process.
Picture-28
After completing our process, you can perform the automatic provision of accounts to the ServiceNow application, which is Step 2.
Picture-29
In this section, we specify an instance name for our ServiceNow application and write an authorized user name password.
Picture-30
On the screen that comes up, we press the Start Test button.
Picture-31
If the test is successful, you will see the screen as below.
Picture-32
Then, the configuration window for the accounts to be automatically provisioned will appear. Here you can select User and Group object types.
Picture-33
After the process, we can select the Start Automatic Provisioning Now option and complete our process.
Picture-34
In the 3rd section, we can specify the users who will access our ServiceNow application through the Microsoft Azure AD service.
Picture-35
When you click on this section, you can see the users in Microsoft Azure AD (So Local Active Directory). As I mentioned before, when you add your own domain name to Microsoft Azure AD; The domain name you have will come, not the onmicrosoft.com Suffix. Thus, your users will be able to successfully perform the SSO operation. Here we can now select the users we want and press the Assign button.
Picture-36
The users we have assigned will be seen as follows.
Picture-37
Now your authorized users https://myapps.microsoft.com When they log in with their user name passwords, they will see the connection shortcut on the application portal screen for the ServiceNow application.
Picture-38
And of course, you can see your Microsoft Azure AD users in the Users section of the ServiceNow application.
Picture-39
See you in our next article about Azure.
Your questions on this subject You can ask using the comments field at the bottom.
REFERENCES
www.mshowto.org