The advantage of having a separate local login admin account when using SSO/LDAP
If an admin of a ServiceNow instance, one of the most important things is being able to log in to address issues or investigate undesirable behavior.
If the issue involves the inability to login, there could be a problem if no measures have been taken.
Often, enough issues with SAML/SSO/LDAP are resolved/investigated quickly if the admins have a local login and logged in through side_door.do.
The instance provides excellent logs for SAML with debugging turned on and errors are found quickly.
Although there is no general best practice, it is a good idea to have a separate local admin account, or more, if more people are responsible for maintenance.
These accounts should ideally not be involved in the day to day work, such as fulfiller, but purely for maintenance. It has the added benefit that changes in script are recorded as updated by user.admin.
Suggestions listed below based on quite a few incidents.
Set up an account for username.admin. Do not use the same email address as the main account, as duplicate email addresses cause issues. If no email address works, this account should not be used for day to day work, working on incidents etc.
- Assign appropriate roles.
- A separate email address is useful to receive alerts in regards to the health and functionality of the instance.
Set the password, login through an incognito window, verify it works, and if the appropriate roles exist to access all the relevant admin parts of the platform.
Why a separate local account
Setting a local password for own account works, but a separate admin user account, not updated by ldap, does have its benefits.
In ServiceNow Customer Support there are situations where all accounts are locked out due to ldap mishaps and locked accounts do not allow users to login.
The biggest issues are also applicable to general password issues, and it is best to follow individual company policies.
Remembering/ensuring that it still works, one might not use the password on a day to day basis so it should be tested/remembered regularly.
This is important to consider in regards to a 3 in the morning phone call to assist with issues.
Needless to say, that if the admins cannot log into the instance, ServiceNow Customer Support is available 24/7 to address and assist the issue at hand.