Configuring Single Sign-on from the VMware Identity Manager Service to ServiceNow VMware Identity Manager AUGUST 2015 V1
Configuring Single Sign-On from VMware Identity Manager to ServiceNow Table of Contents Overview... 2 Adding ServiceNow to the VMware Identity Manager Catalog... 2 Add ServiceNow to the Catalog... 2 Locate Identity Provider SAML Metadata... 2 Download the Identity Provider Signing Certificate... 3 Setting up ServiceNow... 3 Configure ServiceNow... 3 Complete the Setup in the Service... 4 Testing Single Sign-on Configuration... 5 Set up User in VMware Identity Manager for Testing... 5 Set up ServiceNow for Testing... 5 Verify Test-User can Sign in to My Apps Portal... 6 Entitle Users to ServiceNow... 6 /1
Overview This document provides information about configuring SAML-based single sign-on from the VMware Identity Manager service to ServiceNow. ServiceNow automates and manages global enterprise service relationships. As the enterprise cloud company, ServiceNow provides a service model that defines, structures, and automates the flow of work, removing email and spreadsheets from the process to streamline the delivery of services. Before you grant ServiceNow entitlements to your organization's users and groups, work with your ServiceNow account administrator to configure your account to use SAML-based federated authentication with the VMware Identity Manager service. Adding ServiceNow to the VMware Identity Manager Catalog To enable single sign-on to ServiceNow on the service, you must configure the app in the catalog and copy the SAML signing certificate of the service to the ServiceNow application. Add ServiceNow to the Catalog 1. Log in to the VMware Identity Manager administration console. 2. In the Catalog page, click Add Application >...from the cloud application catalog. 3. Click the ServiceNow icon. The Modify application page appears. 4. Continue to the next section. The ServiceNow application is added to the catalog but is not configured. You complete the application setup in the catalog after you configure ServiceNow. Locate Identity Provider SAML Metadata You must have the VMware Identity Provider identity provider metadata xml URL to configure Salesforce. 1. In the service s administration console Catalog tab, click Setup > SAML Metadata. 2. In the SAML Metadata section, click Identity Provider (IdP) metadata to display the metadata content. Save the URL. The URL is similar to this example. https://myco.vmwareidentity.com/saas/api/1.0/get/metadata/idp.xml. /2
Download the Identity Provider Signing Certificate You must have the signing certificate from the VMware Identity Manager service for the ServiceNow setup. 1. In the service s administration console Catalog tab, click Setup > SAML Metadata. 2. Copy and save the Signing Certificate text to a.cert or.txt file on your computer. Make sure that you include text from -----BEGIN CERTIFICATE---- through ---------END CERTIFICATE-----. 3. In the SAML Metadata section, click Identity Provider (IdP) metadata to display the metadata content. Save the file as a.cer or.txt file to your computer and note the URL. Setting up ServiceNow To set up ServiceNow for single sign-on from the service, you add the VMware Identity Manager certificate to the ServiceNow certificate page and configure ServiceNow. Configure ServiceNow 1. Log in to ServiceNow as the administrator. 2. Navigate to SAML2 Single Sign-on > Certificate. 3. Click New. 4. In the Name field, enter SAML 2.0. Note: If the name is not SAML 2.0, the certificate is not recognized by ServiceNow. 5. In the Format field, enter PEM. 6. In the PEM Certificate field, paste the text from the VMware Identity Manager certificate.txt file that you saved previously. Make sure that you include text from -----BEGIN CERTIFICATE---- through --------- END CERTIFICATE-----. 7. Click Submit. 8. Navigate to SAML2 Single Sign-on > Properties. /3
9. In the SAML 2.0 Single Sign-on page, modify the following fields. FIELD DESCRIPTION Note: In the directions that follow Replace myco with your company s VMware Identity Manager service domain name. Replace company with your company s Service-Now domain name. Enable External Authentication The Identity Provider URL which will issue the SAML2 security token with user info The base URL to the Identity Provider s AuthnRequest service. Select Yes. This is the metadata.xml URL. Enter your VMware Identity Manager identity provider (IdP) metadata URL that you saved previously. Enter as https://myco.vmwareidentity.com/saas/api/1.0/get/metadata/ idp.xml. Enter your VMware Identity Manager login URL in the format: https://myco.vmwareidentity.com/saas/api/1.0/post/sso. The base URL to the Identity Provider s SingleLogoutRequest service When SAML 2.0 single sign-on fails because the session is not authenticated, or if this is the first login, redirect to this URL URL to redirect users after logout, typically back to the portal that enabled the SSO The URL to the Service-now instance homepage Enter your VMware Identity Manager logout URL in the format https://myco.vmwareidentity.com/saas/api/1.0/get/logout.. Enter your VMware Identity Manager login URL in the format https://myco.vmwareidentity.com/saas/api/1.0/post/sso. Enter your VMware Identity Manager logout URL in the format: https://myco.vmwareidentity.com/logout. Enter your ServiceNow instance URL in the format: https://company.service-now.com/navpage.do The entity identification, or the issuer The audience uri that accepts SAML2 token Enter your ServiceNow entity identification URL in the format: https://company.service-now.com.. Enter the same URL as the line above: https://company.service-now.com. 10. Click Save. Complete the Setup in the Service 1. Log in to the VMware Identity Manager administration console. 2. In the Catalog page, select the ServiceNow icon. 3. In the Modify application page, click Configuration. /4
4. In the Assertion Consumer Services text box, enter the URL as https://company.servicenow.com/navpage.do. Replace company with you company s VMware Identity Manager domain name. 5. In the Recipient Name field, enter the same URL. 6. In the Audience field, enter the service provider unique identifier as https://company.servicenow.com. Replace company with your company s Service-Now domain name. 7. Click Save. Testing Single Sign-on Configuration Test your single sign-on configuration with a small number of users before deploying the application across your organization. Set up User in VMware Identity Manager for Testing 1. Log in to the VMware Identity Manager administration console. 2. In the Users & Groups page, click Users and ensure that the user you are testing is in the list of users. 3. In the Catalog page, click on the ServiceNow application. 4. Click Entitlements. 5. Click +Add user entitlement. 6. Select the test user and change the DEPLOYMENT field value for the user to Automatic. For example: 7. Click Save, then click Done. 8. In the top-right corner of the page, click your user name and select Logout. Set up ServiceNow for Testing 1. Log in as administrator to ServiceNow. 2. Navigate to the User Administration > Users page. 3. Click New. 4. Complete the following required fields. Ensure that the information matches the test user information in the VMware Identity Manager service. Field UserID First name Last name Description User ID address from the test user. First name of the test user. Last name of the test user. /5
Email Email address of the test user. 5. Click Submit. Continue with Complete Testing in the VMware Identity Manager Verify Test-User can Sign in to My Apps Portal 1. Log in to the user portal as the test user. 2. Click the ServiceNow icon on the My Apps page. You should now have single sign-on access to ServiceNow. Entitle Users to ServiceNow You can activate single sign-on for all users. Before you do so, ensure that all the users are added to ServiceNow. 1. Log in to the VMware Identity Manager administration console. 2. In the Catalog page, click ServiceNow. 3. In the Modify application page, click Entitlements. 4. Click +Add group entitlement. 5. Select ALL USERS and change the DEPLOYMENT TYPE field value to Automatic. 6. Click Save then click Done. /6
VMware, Inc. 3401 Hillview Avenue Palo Alto CA 94304 USA Tel 877-486-9273 Fax 650-427-5001 www.vmware.com Copyright 2015 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at http://www.vmware.com/go/patents. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.