Set up ServiceNow as the SP and EAA as the IdP

This procedure describes how to set up the ServiceNow application as a service provider (SP) and EAA as the identity provider (IdP).

Complete the following steps to configure ServiceNow as the SP and EAA as the IdP.

How to

  1. Access ServiceNow Developer portal.
    1. Click REGISTER and enter the information.
    2. After you register, check your mail for an activation message.
    3. Access your personalized site with your log in information.
      Note: If you have a trial account, it lasts for 24 hours only and then goes into hibernation. If the trail account is not used within 5 days, it is decommissioned.
    You have created a developer account on ServiceNow application.
  2. Create a ServiceNow developer instance.
    1. Click Request an Instance. Choose Latest Release from the available options.
    2. Choose Latest Release from the available options and close the pop-ups.
    3. After the instance is created, save the instance specific URL and admin credentials.
    You have created a developer instance of ServiceNow application.
  3. In a new browser window access the customized URL, with your user name and password, to make sure it works. (A password reset is required)
  4. Configure EAA as the IdP for a custom SaaS application for ServiceNow but do not deploy the application at this stage. Configure the general settings of the application, set the application URL to ServiceNow instance-specific URL ( for example, https://devxxxxx.service-now.com/), choose application icon and category. Click Assign identity provider and choose the identity provider. Then, click Assign Directory and choose the directory with users. Click Save and go to SAML settings. Click Download to download the pre-populated metadata. Save the information as saml_idp_data.txt using any text editor.
  5. Configure ServiceNow as a Service Provider (SP).
    1. Login in to your ServiceNow developer instance you created in Step 2.
    2. Search for “Plugins” in the search bar, on the left panel. Navigate to Plugins.
    3. On the search box, on the right pane,search for “Integration - Multiple Provider Single Sign-On Installer” and install it.
    4. Click Activate/Upgrade link and confirm activation.
    5. Search for “Multi-Provider SSO” in the search bar, on the left panel. The plugin should be installed. Add it to your favorites. You will need to access this again in step h and step n later.
    6. Reset the filter. Go back to the instance Homepage by clicking ServiceNow logo. Then click the User Administration tile.
    7. Create a new user. Click Users icon, New button and user set up window appears. Confirm that the email matches the directory integrated with IdP in EAA.
    8. Go back to the “Multi-Provider SSO” from step e which you added as favorites. Navigate to Administration. Click Properties. Enable all the 3 options and Save.
    9. Create a new SAML identity provider in ServiceNow. Navigate to Identity providers, click New and choose SAML.
    10. Next, there will be a pop-up window for “Identity Provider Metadata”, select XML. Copy the contents from saml_idp_data.txt from step 4 b and paste it in the “Enter the XML” section. Click the Import button.
    11. Check the EAA IdP URL as the Default option.
    12. Update the * NameID Policy to email address. Modify it from urn:oasis:names:tc:SAML:2.0:nameid-format:transient to urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress. Then click, Save and Update.
    13. Since the “Test Connection” feature in ServiceNow is not currently compatible with EAA, you will need to disable it. Perform these steps: You will need to set the glide.authenticate.multisso.test.connection.mandatory property to false. In the search box on the left panel, type sys_properties.list and hit enter, to see all properties. Check if the glide.authenticate.multisso.test.connection.mandatory is there and set to false.

      If it is missing, click New, add the property and set the type to False. The click Submit.

    14. Go back to the “Multi-Provider SSO” from step e which you added as favorites. Click on the Identity provider you created and activate it.
      The ServiceNow application is configured as a Service Provider (SP).
  6. Go back to your EAA application that you were configuring in step 4. Go to SAML Settings tab, SAML Settings section. Check that the following match ServiceNow configurations.
    1. Entity ID should match value of Entity ID /Issuer in ServiceNow identity provider config (e.g. https://devxxxx.service-now.com)
    2. SSO (ACS) URL should match value of ServiceNow Homepage in ServiceNow identity provider config (e.g https://devxxxx.service-now.com/navpage.do)
    3. Ensure that you are using the same SHA algorithm in EAA and ServiceNow. If you are using SHA-1 algorithm in ServiceNow, set Response signature algorithm to SHA1 in EAA. Alternatively, if you're using SHA-256 algorithm in ServiceNow (See ServiceNow documentation SHA-256 support for Single Sign On) set Response signature algorithm to SHA256 in EAA.
    4. And Single logout URL to the same value as SSO (ACS) URL (e.g https://devxxxx.service-now.com/navpage.do)
      Note:

      In https://devxxxx.service-now.com xxxx is a random number generated when you created an instance.

    5. Click Save and go to Deployment.
    6. On the deployment tab, click Deploy application.
  7. Verify that EAA as IdP and ServiceNow as SP work seamlessly authenticate accredited users associated with the IdP to use the ServiceNow SP:
    1. Navigate to your ServiceNow instance URL on a web browser and click “Use external login”
    2. Login as admin with your customized password, as in step 3.
    3. You will be redirected to the EAA IdP login url. You should enter the user credentials matching AD or Cloud Directory for the user.
    4. You are allowed to your ServiceNow account landing page:

    With EAA configured as a IdP, ServiceNow configured as a SP, and both implementing SAML, they can seamlessly authenticate accredited users associated with the IdP to use the ServiceNow SP.