SSO Agent - SAML Configuration - ServiceNow RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jan 22, 2019
Version 1Show Document
  • View in full screen mode

This section contains instructions on how to integrate RSA SecurID Access with ServiceNow ServiceNow using a SAML SSO Agent.

Architecture Diagram

RSA Cloud Authentication Service

Follow the steps in this section to configure RSA Cloud Authentication Service as an SSO Agent SAML IdP to ServiceNow.

Procedure

1. Logon to the RSA Cloud Administration Console and browse to Applications > Application Catalog, search for ServiceNow and click +Add to add the connector.

2. Enter a name for the application in the Name field on the Basic Information page and click the Next Step button.

3. Navigate to Initiate SAML Workflow section.

a. In the Connection URL field, verify the default setting.

b. Choose IDP-initiated.

Note: The following IDP-initiated configuration works for SP-initiated ServiceNow connections as well.

If you choose to use SP initiated the Connection URL format is https://<your_instance>.service-now.com/login_with_sso.do?glide_sso_id=<sys_id>.

4. Scroll down to SAML Identity Provider (Issuer) section.

a. Take note of the Identity Provider URL.

b. Take note of the Issuer Entity ID.

c. Select Choose File and upload the private key.

d. Select Choose File to import the public signing certificate.

e. Select the checkbox for Include Certificate in Outgoing Assertion.

Note: The certificate pair used for the assertion must have the Comman Name specific for your Service Now instance.

• Select Generate Certificate Bundle.

• Enter your ServiceNow instance in the Comman Name (CN) field and select Generate and Download.

• Unzip the certificateBundle.zip file that was downloaded from RSA SecurID Access.

5. Scroll down to the Service Provider section.

6. In the Assertion Consumer Service (ACS) URL field replace <your_instance> with your account domain.

7. In the Audience (Service Provider Entity ID) field replace <your_instance> with your account domain.

8. Scroll down to the User Identity section. Verify the settings are correct for your environment. In this example the username to be presented in email format and the user account will be validated against the User Store selected.

9. Click Next Step.

10. On the User Access page, select Allow All Authenticated Users user policy from the available options.

11. Click Next Step.

12. On the Portal Display page, select Display in Portal.

13. Click Save and Finish.

14. Click Publish Changes. Your application is now enabled for SSO.

 

ServiceNow

Follow the steps in this section to configure ServiceNow as an SSO Agent SAML SP to RSA Cloud Authentication Service.

Procedure

1. Login into the ServiceNow administration console. https://<your_instance>.service-now.com

Note: If SSO is enable use https://<your_instance>.service-now.com/side_door.do

2. In the filter field next to the star, enter plugins.

3. Verify the Integration – Multiple Provider Single Sign–On Installer plugin is installed and active.

4. Once installed Multi-Provider SSO will appear on the left side navigation menu.

5. Navigate to Multi-Provider SSO > Administration > Properties.

6. Check Yes for Enable multiple provider SSO.

7. Enter email in the User identification field.

8. Click Save.

9. Navigate to Multi-Provider SSO > x509 Certificate.

10. Click New.

11. Enter a Name and paste the public certificate generated from the RSA SecurID Access in the PEM field.

12. Click Submit.

13. Navigate to Multi-Provider SSO > Identity Providers and click New > SAML.

14. Enter a name for the Identity Provider.

15. Select the Default checkbox if desired for your configuration.

16. In the *Identity Provider URL and *Identity Provider’s AuthRequest fields, enter either:

IDR format: https://<PORTAL_HOSTNAME>/IdPServlet?idp_id=<STRING>

17. In the *ServiceNow Homepage field, enter the ACS url.

https://<your_instance>.service-now.com/navpage.do

18. In the *Entity ID /Issuer and *Audience URI field, enter https://<your_instance>.service-now.com.

19. In the *NameID Policy field, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

20. In the Advanced section, enter the following:

a. email, in the User Field.

b. MultiSSO_SAML2_Update1, as the Single Sign-on Script.

c. leave the NameID Attribute field blank.

d. check the Create AuthnContextClass checkbox.

e. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect in the Protocol Binding for IDP’s SingleLogoutRequest field.

f. check the Force AuthNRequest checkbox.

g. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport in the AuthnContextClassRef Method field.

21. Select the created Identity Provider and scroll down to X.509.

22. Use the Go to pull down to associate the X509 certificate with the Identity Provider.

23. Click Update.

24. Make sure browser pop up is allowed and click the Test Connection button.

25. Select the check box for Active.

26. Navigate to Multi-Provider SSO > Identity Providers and right click on the Identity Provider name.

27. Select Copy sys_id.

28. Navigate to User Administration > Users.

29. Edit the user’s User ID, Email, First name and Last name.

30. Click Submit.

31. Edit the user and add a role for the user.

32. Select the 3 row menu icon and navigate to Configure > Form Layout.

33. Add Source to the Selected column.

34. Click Save.

35. Edit the user and add sso: followed by sys_id of the identity provider’s record.

36. Click Update.

 

Configuration is complete.

Return to the main page for more certification related information.

 

Attachments

    Outcomes