Notifications

1257 views

Description

Description


ServiceNow supports Custom URLs starting from the London release.This article describes the steps required to configure SAML/SSO for an instance configured with a custom url.

Prerequisite


  • IDP supports configuring more than one assertion consumer service URL.
  • Custom URL is configured within ServiceNow

Procedure


Note: If you are using the "ServiceNow UD" application in OKTA, using the custom URL and the default instance URL at the same time will not be possible. For this case, an alternate solution is provided after step 6. below. 

  1. Navigate to Custom URL > Custom URLs > Ensure that status is active for Domain Name.
    • Notedevauth.snowtestcustomurlone.com is used as an example, not as a real domain name
  2. Multi-Provider SSO > Identity Providers > New > Create a SAML/IDP configurations for instance url.Ensure that  ServiceNow Homepage , Entity ID / Issuer and Audience URI are populated with instance URL.
  3. Generate Metadata - This should have assertion consumer service URL configured for instance and custom URL. The customer should import this metadata into their IDP  to configure SAML/SSO setup.
    <EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" entityID="https://<instance-name>.service-now.com">
    <SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
    <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<instance-name>.service-now.com/navpage.do"/>
    <NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
    <AssertionConsumerService isDefault="false" index="1" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://devauth.snowtestcustomurlone.com/navpage.do" />
    <AssertionConsumerService isDefault="false" index="3" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://<instance-name>.service-now.com/consumer.do" />
    <AssertionConsumerService isDefault="false" index="4" Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://devauth.snowtestcustomurlone.com/consumer.do" />
    />
    </SPSSODescriptor>
    </EntityDescriptor> 

    Ex: IDP which has multiple Assertion Consumer URL configured (Requestable SSO URL).

  4. Test Connection. This will test SAML connection for Instance URL
  5. If your test connection is successful activate IDP.
  6. Test connection is not supported for custom URL. After activating IDP for instance URL, log out and test SSO for custom URL.

    ex: https://devauth.snowtestcustomurlone.com 

Note: If you are using the "ServiceNow UD" application in OKTA, using the custom URL & the default instance URL at the same time will not be possible. This is the workaround for this case:

This is a limitation of "ServiceNow UD" application. The options are:

  1. Switch to the new OKTA application which supports multiple Requestable SSO URLs.
  2. This is an option if you can't switch to a new application. The admin for OKTA has to create two ServiceNow applications, one with the default URL and another with the Custom URL. Then create two Identity Provider records on the instance for the respective OKTA apps. The admin has to then configure users for the respective OKTA application.

Applicable Versions


London

Additional Information


Generate SP metadata for SAML/SSO custom URL installations

Article Information

Last Updated:2019-08-02 20:53:04
Published:2019-03-22