This section describes how to integrate ServiceNow with RSA Cloud Authentication Service using IDR SSO.

Configure RSA Cloud Authentication Service

Perform these steps to configure RSA Cloud Authentication Service using IDR SSO.

Procedure

1. Sign in to RSA Cloud Administration Console and browse to Applications > Application Catalog.
2. Search for ServiceNow and click Add.
   
3. Enter a name for the application in the Name field on the Basic Information page.
4. Choose Identity Router in the Basic Information section and click Next Step.
   
5. Navigate to the Initiate SAML Workflow section.
   

   In the Connection URL field, verify the default setting.

6. Choose IDP-initiated or SP-Initiated as applicable.
   

   
7. Scroll down to the Identity Provider section.
8. Under the Identity Provider Entity ID section, click the Override option and paste the connection URL from RSA.
   
   
   1. Identity Provider URL is automatically generated.
   2. Identity Provider Entity ID is automatically generated.
   3. Click Generate Cert Bundle.
   4. Provide a common name for your company certificate and click Generate and Download.
   5. Click Choose File and upload the private key from the generated certificate bundle.
   6. Click Choose File and upload the certificate from the generated certificate bundle.
      The public certificate in the bundle is used for the ServiceNow configuration.
9. Scroll down to the Service Provider section and enter the following details:
   1. Assertion Consumer Service (ACS) – https://<Service provider domain>.service-now.com/navpage.do.
   2. Audience (Service Provider Issuer ID) – https://< Service provider domain >.service-now.com.
      
10. Scroll down to the User Identity section.
11. Verify that the settings are correct for your environment.
    For example, the username is presented in email format and the user account will be validated against the User Store selected.
    
12. Click Next Step.
13. On the User Access page, select the access policy that the identity router will use to determine which users can access the application.
    
14. Click Next Step.
15. On the Portal Display page, configure the portal display and other settings.
16. Click Save and Finish.
17. Click Publish Changes.
    
18. Perform the following steps if export metadata is required:
    1. Navigate to Applications > My Applications. 
    2. Locate your ServiceNow application instance in the list.
    3. In the Edit option, select Export Metadata.

Configure ServiceNow

Perform these steps to configure ServiceNow.

Procedure

1. Log on to ServiceNow admin console https://developer.servicenow.com
2. Click Start Building if you are using ServiceNow classic.
   
   The ServiceNow Home page appears.
3. Verify if the Multiple Provider single sign-on Installer plugin is installed and activated by performing the following step:
   1. Under All, search for Multi-Provider SSO in the search bar.
      If the plugin is properly installed and activated, it appears in the list.
      
4. If the plugin is unavailable in the list, install and activate it by performing the following steps:
   1. In the left pane, search for the System Definition in the search box, and then click Plugins.
      
   2. Search for Integration - Multiple Provider single sign-on Installer.
      
   3. Install and activate the plugin.
5. Navigate to Multi-Provider SSO > Federations > Administration > Properties.
   1. Select Enable multiple provider SSO.
   2. Type the text 'email' in the User identification field.
      
6. Navigate to Multi-Provider SSO > x509 Certificate.
   1. Click New.
   2. Enter a Name.
   3. Copy the public certificate generated from the RSA to the PEM Certificate field.
   4. Click Submit.
      
7. Navigate to Multi-Provider SSO > Identity Providers and click New > SAML.
8. In the Import Identity Provider dialog box, click XML.
9. In the Enter the XML text box, paste the metadata copied from RSA and click Import.
   
   
10. Enter a name for the Identity Provider.
11. Select the Default check box if required for your configuration.
12. In the Identity Provider URL and Identity Provider’s AuthRequest fields, enter the portal URL from RSA.
13. In the ServiceNow Homepage field, enter the ACS URL.
    

    https://<your_instance>.service-now.com/navpage.do

14. In the Entity ID/Issuer and Audience URI field, enter https://<your_instance>.service-now.com.
15. In the NameID Policy field, enter urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
16. In the Advanced tab, enter the following if not auto-populated:
    1. User Field - email
    2. NameID Attribute - blank
    3. Protocol Binding for the IDP's AuthnRequest - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
    4. Protocol Binding for the IDP's SingleLogoutRequest - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
    5. Protocol Binding for the IDP's SingleLogoutResponse - urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect 
    6. AuthnContextClassRef Method - urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport 
       
17. In the User Provisioning tab, click Update User Record Upon Each Login.
18. Scroll down to the X.509 Certificates section.
19. Click Edit and select the certificate added in Step 6 from the collection.
20. Save the selection.
21. Click Update.
    
22. Navigate to Multi-Provider SSO > Identity Providers and right-click the Identity Provider name.
23. Select Copy sys_id.
    
24. Go to All > User Administration >Users.
25. Search for your user and select the user.
26. If a column named SSO Source is unavailable, add it by performing the following steps:
    1.  Right-click the hamburger icon on the top-left corner of the page and go to Configure > Form Layout.
       
    2. Add SSO Source to the Selected list.
       
    3. Click Save.
27. Edit the user and add sso: followed by sys_id of the identity provider’s record.
    
28. Click Update to complete the changes made to the user.
29. Navigate to All > Identity Providers and select your identity Provider record.
30. Make sure that the browser pop-up is allowed and click Test Connection.
31. On successful connection, select Activate to activate the configuration and click Set Auto Redirect IdP.

 Configuration is complete.

Return to main page.