Digest Token Authentication
Digest Token Authentication uses data , key and mac algorithm to generate digest data.User access instance with the digest data.This digest data is compared against the digest data calculated within instance.If digest data matches then user is authenticated.
How does Digest Token Authentication work?
1.Client launches instance url with Digest token.
**glide_sso_id is required if default or redirect idp is not configured.
2.MultiSSO Digest Token Authentication uses MultiSSO_DigestToken installation exits to parse request parameters,cookies or headers.
3.NOW platform calculates digest value based on the digest token configurations configured within platform.
4.MultiSSO_DigestToken installation exit compares digest data with digest data extracted ( DE_USER )from request parameters.
5.If digest data matches
a)MultiSSO_DigestToken script validates user ( SM_USER ) against user table.
b)if there is a valid user record session is initialized for that user.
c)else, user is redirected to failed sso redirect page.
6)Else, user is redirected to failed sso redirect page.
1)Multi-Provider SSO > Identity Providers > New > What kind of SSO are you trying to create? ( Select Digest )
|DE_USER||Digest token is sent with DE_USER|
|SM_USER||User field for lookup with user table|
|User Field||Name of the field which is queried with user table|
|Secret Passphrase||secret key to encrypt/decrypt digest data ( ex:12345 )|
|Single Sign-On Script||Select MultiSSO_DigestedToken.This script decrypts token token and authenticate user|
|Failed SSO redirect||page user redirected to post login failure|
|External logout redirect||page user redirected to post logout|
2)Multi-Provider SSO > Properties > Enable multiple provider sso
NOW platform uses HmacSHA1 algorithm to generate digest token by default.If HMAC algorithm needs to be changed please use the below steps.
1.Open MultiSSO_DigestedToken Installation Exit
2.Update MAC_ALG var with the MAC algorithm supported by Java.
Java 8 platform supports the below Mac Algorithms.
How to generate digest data with scripting?
Run this script via System Definition > Scripts background to generate Digest data with different MAC algorithms
var secretKey = "12345";
var MAC_ALG_1 = "HmacSHA1";
var MAC_ALG_2 = "HmacSHA224";
var MAC_ALG_3 = "HmacSHA256";
var MAC_ALG_4 = "HmacSHA384";
var MAC_ALG_5 = "HmacSHA512";
var MAC_ALG_6 = "HmacMD5";
//SncAuthentication.encode() function generates digest data.This is compared against DE_USER
gs.print("Digest data generated with HmacSHA1: "+SncAuthentication.encode(data, secretKey, MAC_ALG_1));
gs.print("Digest data generated with HmacSHA224: "+SncAuthentication.encode(data, secretKey, MAC_ALG_2));
gs.print("Digest data generated with HmacSHA256: "+SncAuthentication.encode(data, secretKey, MAC_ALG_3));
gs.print("Digest data generated with HmacSHA384: "+SncAuthentication.encode(data, secretKey, MAC_ALG_4));
gs.print("Digest data generated with HmacSHA512: "+SncAuthentication.encode(data, secretKey, MAC_ALG_5));
gs.print("Digest data generated with HmacMD5: "+SncAuthentication.encode(data, secretKey, MAC_ALG_6));
*** Script: Digest data generated with HmacSHA1: SuaGUdiqQZikiOfxcgQZALaQJpE=
*** Script: Digest data generated with HmacSHA224: HcTdLXVPwfK+3MRsI1m9BN10xYXKGTqzWYmGMg==
*** Script: Digest data generated with HmacSHA256: IMafPR3HHBl+ykp7ACAfQqMffxtCI86Qv1oI8dqQJr0=
*** Script: Digest data generated with HmacSHA384: 3atp1KaQgbr7W+/Wr9Lq7/K+/OTGk1X5YkhF+d+DwiGpI2rSFBP7cC1FN3fDlhLR
*** Script: Digest data generated with HmacSHA512: c22+q9VaE720r4uWo19Ot9VTRQXQc1oXKHi3mnWB6G/A6gjDG55DXw6fg8JizH/Z5reovgW1oat8 eZTcqxyKcg==
*** Script: Digest data generated with HmacMD5: 8ETw8Cm8Az6JOuWzotRYZA==
NOW platform supports deep linking for digest token authentication.Include glide_sso_id,SM_USER and DE_USER in the deep link url for authentication.
Set glide.authenticate.multisso.debug = true to print debugger messages in the System logs.
Service Portal and CMS Redirection
NOW platform does not support digest token authentication for CMS & Service Portal.This is because CMS & Service Portal has login page configured so user will be redirected to the platform configured login page.navpage.do is the only public page platform support digest token for authentication.
Service Portal has $sp set to true and CMS has view_content set to true in the sys_public table.Setting $sp= false and view_content = false allows platform to authenticate user with digest token authentication.This approach does not allow user to access any public pages configured for Service Portan and CMS.
1.Configure first page for CMS & Service Portal.
2.Configure login redirection.
3.Authenticate with instance url
4.NOW platform redirects user to first page ( landing page ) after authentication.
User is redirected to navpage.do after authentication
user is redirected to service portal ( first page / landing page ) after authentication
user is redirected to incident record after authentication.
ess user is redirected to service portal after authentication.
Check docs.servicenow.com for the applicable versions.
1)Check doc site for Integration Setup,Sample Digest Token Implementations and deep linking within instance.
2)Mac Algorithms supported by Java 8 at the time of writing this article.