Relying Party Configuration - ServiceNow ServiceNow RSA Ready SecurID Access Implementation Guide

Document created by RSA Information Design and Development on Jan 22, 2019
Version 1Show Document
  • View in full screen mode

This section contains instructions on how to integrate RSA SecurID Access with ServiceNow using Relying Party. Relying party uses SAML 2.0 to integrate RSA SecurID Access as a SAML Identity Provider (IdP) to ServiceNow SAML Service Provider (SP).

Architecture Diagram

RSA Cloud Authentication Service

Follow the steps in this section to configure RSA Cloud Authentication Service as a Relying Party SAML IdP to ServiceNow .

Procedure

1. Logon to the RSA Cloud Administrative Console.

2. Browse to Authentication Clients > Relying Parties.

3. Click Add a Relying Party.

4. From the Relying Party Catalog select the +Add button for Service Provider SAML.

5. Enter a name for the Service Provider in the Name field on the Basic Information page.

6. Click the Next Step button.

7. On the Authentication page, select RSA SecurID Access manages all authentication.

8. From the Primary Authentication Method pulldown, select your desired login method either Password or SecurID.

9. From the Access Policy pulldown select a policy that was previously configured.

10. Select Next Step.

11. Select Enter Manually.

12. Enter the ACS URL and Entity ID for your instance.

13. Click Download Certificate.

14. Click Show Advanced Configuration.

15. In the NameID field use the Identifier Type pulldown to select Email Address and the Property pulldown to select mail.

16. Select Save and Finish.

17. On the My Relying Parties page, select the Edit pulldown and select View or Download IdP Metadata.

18. View the metadata file to find the Cloud IDP URL. Location=https://<company_id>.auth.securid.com/saml-fe/sso. This is the Cloud IDP URL.

19. Navigate to Users > Identity Sources.

Note: Perform the following steps to all Identity Sources used in the policy.

20. Select Edit for the Identity Source used in the Policy.

21. On the User Attributes page, verify that the Synchronize the selected policy attributes with the Cloud Authentication Service is checked.

22. In the Policies column verify that attribute mail is checked.

23. Click Next Step.

24. Click Save and Finish.

25. On the top menu click Publish Changes.

26. From the Users > Identity Sources page, select the Edit pulldown for each Identity Source used in the policy and select Synchronization.

27. Click Synchronize Now.

 

ServiceNow

Follow the steps in this section to configure ServiceNow as a Relying Party SAML SP to RSA Cloud Authentication Service.

Procedure

1. Login into the ServiceNow administration console. https://<your_instance>.service-now.com

Note: If SSO is enable use https://<your_instance>.service-now.com/side_door.do

2. In the filter field next to the star, enter plugins.

3. Verify the Integration – Multiple Provider Single Sign–On Installer plugin is installed and active.

4. Once installed Multi-Provider SSO will appear on the left side navigation menu.

5. Navigate to Multi-Provider SSO > Administration > Properties.

6. Check Yes for Enable multiple provider SSO.

7. Enter email in the User identification field.

8. Click Save.

9. Navigate to Multi-Provider SSO > x509 Certificate.

10. Click New.

11. Enter a Name and paste the cloud certificate generated in the PEM field.

12. Click Submit.

13. Navigate to Multi-Provider SSO > Identity Providers and click New > SAML.

14. Enter a name for the Identity Provider.

15. Select the Default checkbox if desired for your configuration.

16. In the *Identity Provider URL and *Identity Provider’s AuthRequest fields, enter either:

Cloud IdP format: https://<COMPANY_ID>.auth.securid.com/saml-fe/sso

17. In the *ServiceNow Homepage field, enter the ACS url.

https://<your_instance>.service-now.com/navpage.do

18. In the *Entity ID /Issuer and *Audience URI field, enter https://<your_instance>.service-now.com.

19. In the *NameID Policy field, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.

20. In the Advanced section, enter the following:

a. email, in the User Field.

b. MultiSSO_SAML2_Update1, as the Single Sign-on Script.

c. leave the NameID Attribute field blank.

d. check the Create AuthnContextClass checkbox.

e. urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect in the Protocol Binding for IDP’s SingleLogoutRequest field.

f. check the Force AuthNRequest checkbox.

g. urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport in the AuthnContextClassRef Method field.

21. Select the created Identity Provider and scroll down to X.509.

22. Use the Go to pull down to associate the X509 certificate with the Identity Provider.

23. Click Update.

24. Make sure browser pop up is allowed and click the Test Connection button.

25. Select the check box for Active.

26. Navigate to Multi-Provider SSO > Identity Providers and right click on the Identity Provider name.

27. Select Copy sys_id.

28. Navigate to User Administration > Users.

29. Edit the user’s User ID, Email, First name and Last name.

30. Click Submit.

31. Edit the user and add a role for the user.

32. Select the 3 row menu icon and navigate to Configure > Form Layout.

33. Add Source to the Selected column

34. Click Save.

35. Edit the user and add sso: followed by sys_id of the identity provider’s record.

36. Click Update.

 

Configuration is complete.

Return to the main page for more certification related information.

 

 

Attachments

    Outcomes