servicenow deployment guide - okta

Okta Inc. 301 Brannan Street, 3rd Floor San Francisco, CA, 94107

[email protected] 1-888-722-7871

ServiceNow Deployment Guide (For Eureka release and forward)

Aug, 2014

ServiceNow Eureka Deployment Guide

2

Contents

Overview ...................................................................................................................... 3

Active Directory Integration .......................................................................................... 3

Enabling Okta Plugin in ServiceNow .............................................................................. 3

Configure integration between Okta & ServiceNow ...................................................... 5

Creating a new Okta instance for AD integration .......................................................... 6 Configuration parameters ........................................................................................................................................ 6

Integrating with an existing Okta instance for AD integration ....................................... 8 Configuration parameters ........................................................................................................................................ 9

Verify Configuration ..................................................................................................... 9

Remove “ServiceNow” app from “Everyone” group .................................................... 12

Automated Provisioning using Active Directory .......................................................... 12

Active Directory Configuration .................................................................................... 12

ServiceNow User Naming rule ..................................................................................... 13

Configuring User Provisioning for ServiceNow ............................................................ 13

Enable Provisioning in ServiceNow app ...................................................................... 13

Set up Group-based provisioning policy in Okta for ServiceNow ................................. 15

Testing SAML .............................................................................................................. 16

Testing Delegated Authentication from ServiceNow login page .................................. 16


3

Overview For ServiceNow pre-Eureka releases, you should refer to instructions from <link to old deployment guide – TBD as we’re going to move this one around a bit>. Starting with ServiceNow Eureka release (June – 2014), a new Okta plugin has been introduced to make integration simpler by automating some of the steps. This deployment guide applies to both ServiceNow IT Service Automation and ServiceNow Express.

Active Directory Integration The key benefit in integrating Okta with your ServiceNow instance is to allow authentication and provisioning to be driven by your existing Active Directory infrastructure. Specifically, the Okta-ServiceNow integration allows the following:

- End users to login into ServiceNow using their Active Directory credentials - New account provisioning based on Active Directory users and groups - Single Sign On support

Okta also supports other non-AD LDAP products including Oracle, Sun, eDirectory, OpenLDAP,OpenDJ/DS and others. The Active Directory integration involves the following core steps:

1) Enabling Okta plugin in ServiceNow – This exposes the “Okta Configuration” page for integration with Okta.

2) Configure integration between Okta & ServiceNow – This allows Okta to handle authentication for your ServiceNow instance and provide automated-provisioning based on Active Directory that is integrated via Okta.

3) Set up Active Directory integration with Okta – Configure Okta Active Directory Agent with your Active Directory instance and setting up provisioning rules to enable automated provisioning of your AD users into ServiceNow.

Enabling Okta Plugin in ServiceNow Navigate to your ServiceNow instance and log in as an Administrator. If you are not on the main System Administration page, click on the “ServiceNow” icon in the upper left corner of the page which will take you to the System Administration page. The page for Express Edition and Enterprise Edition differ slightly.


4

If you are in ServiceNow Express, navigate to the “User Administration” icon as shown below.

1) If you see neither “Okta Plugin” nor “Okta Configuration”, you should submit a HI request to ServiceNow to enable the “Okta Plugin” for you.

2) If you don’t see “Okta Configuration”, but you see “Okta Plugin”, click on “Okta Plugin” to enable the plugin. After this, you should see “Okta Configuration” as an added option.

If you are in ServiceNow IT Service Automation,

1) Search for “plugin” in left pane and click on “Plugins” 2) On the main pane, search for “*okta” and you should see “SSO provided by Okta, Inc.” 3) Click on “SSO provided by Okta, inc” and then click on “Activate” to activate the plugin.

4) Now return to the admin home page and navigate back to the “User Administration” icon. Now that the plugin has been enabled you should see “Okta Configuration” available under “User Administration – as shown below.


5

Now that the Okta Plugin is enabled, you can complete the integration steps.

Configure integration between Okta & ServiceNow With the Okta Plugin enabled, you now have two different ways to set up integration with Okta.

1. If you are new to Okta and have yet to create or obtain an Okta instance, you can directly create a new Okta instance through the Okta Plugin and have SAML configured all at the same time.

2. If you already have an Okta instance, you can have SAML configured automatically by providing your Okta API token obtained as an Okta administrator.

To begin configuration, select “Okta Configuration”. The “Okta Configuration” option shows up after activation of the Okta Plugin. You can also type “okta” in the search bar on the left pane and select “SSO provided by Okta, Inc.”


6

Creating a new Okta instance for AD integration On the “Single Sign-on Configuration provided by Okta Inc.” page, select “Yes” to “Enable Okta external authentication”. Provide information for the following fields:

Configuration parameters Field Name Description

Company URL The subdomain of the Okta instance that you would like to create. For example, if you want your Okta instance to be https://mycompany.okta.com, then enter “mycompany”

Company name This is the actual company name of your company in a descriptive form. For example, “My Company”. This value must be unique. If you have a sandbox or another Okta environment, make sure you use a different name.

Okta Admin First Name An admin will be created as part of the instance creation. Specify first name of the administrator

Okta Admin Last Name Specify last name of the administrator

Okta Admin User Name Specify username of the administrator. This should be the email of the administrator. Email notifications will be sent to the administrator to complete registration in order to access the newly created Okta instance.

Okta Admin Password Password of the administrator

Okta Admin Password recovery question/answer

This is used as an additional factor during password reset. Select a question and provide an answer. You will be prompted for this if you ever need to reset your Okta admin password.

https://mycompany.okta.com/


7

When you have provided all the input, click “Save” at the bottom to begin auto configuration.


8

If configured successfully, you should see the “Okta Authentication configured successfully” message at the top of the configuration page. You may skip the next section if you are not an existing Okta customer and go directly to “Verify Configuration”.

Integrating with an existing Okta instance for AD integration If you have an existing Okta instance, you will need to obtain your Okta instance API key as an Okta administrator. Log into Okta as an administrator. Under “Security”->”API”, create a new API key. Remember, you will only have one chance to see the key. Make sure you copy it to a safe and secure location. Make sure the user obtaining the key is a “Super Admin” since this involves the creation of new application instance and configuring SAML.

Note: You DO NOT need to instantiate a ServiceNow instance from the Okta Application Network. This process will auto-create and configure a new ServiceNow application instance in Okta. To being configuration, go to your ServiceNow “Okta Configuration” page. On the “Single Sign-on Configuration provided by Okta Inc.” page, select “Yes” to “Enable Okta external authentication”.


9

Provide information for the following fields:

Configuration parameters Field Name Description

Company URL Provide the subdomain of your existing Okta instance. For example, if your Okta instance URL is https://mycompany.okta.com, then enter “mycompany”

Okta API token This is the API token that you have just obtained from your Okta instance as a super administrator.

When you have provided all the input, click “Save” at the bottom to begin the auto configuration. If configured successfully, you should see the “Okta Authentication configured successfully” message at the top of the configuration page.

Verify Configuration To verify and test the configuration, log into Okta as an administrator. If you have created a new Okta instance as part of this process, complete the activation sent to your email and you will be logged into Okta directly. For more information on Okta Administration Console learn more here from “Getting Started with Okta”. Under “Applications”, you should see your ServiceNow application. If this is a brand new Okta instance, ServiceNow should be the only application on the list. Click to view ServiceNow App instance configuration. Under “General” tab, verify that the “Login URL” corresponds to your ServiceNow org URL.

https://mycompany.okta.com/

https://support.okta.com/entries/27416107-What-Can-I-Do-as-an-Administrator-


10


11

Under “Sign On”, verify that “SAML” is enabled. All the SAML metadata has been exchanged as part of the process. No additional changes should be required.


12

Remove “ServiceNow” app from “Everyone” group ** Before proceeding any further, please make sure you check the following: Depending on the version of ServiceNow, the Okta plugin may have added the ServiceNow app to the “Everyone” group. If this is the case you must remove the app from the Everyone group before any further configuration. Under your ServiceNow App instance configuration, go to “Groups” tab. If you see “Everyone” group listed, hit the X button to remove it. Otherwise, if the list is empty, simply proceed to the next section.

Automated Provisioning using Active Directory At this point, since provisioning has yet been turned on, Okta will not create any new accounts in ServiceNow. In order to support automated-assignment and automated-provisioning via AD, you now need to:

1) Set up Active Directory Integration with Okta. 2) Using Active Directory Groups imported into Okta, set up the appropriate provisioning rule and naming

rule to properly provision users as they appear in AD.

Active Directory Configuration You can skip this section if you have already set up your Active Directory.


13

To set up Active Directory, please follow the instructions here on “Installing and Configuring the Active Directory Agent” – followed by “Configuring Your Active Directory Settings”. Once this is completed, periodic synchronization with AD will happen. You should be seeing AD users populating the Okta directoryTo understand how Okta handles AD Security Groups imported from AD – go to “Importing and Using Groups in Okta”. At a high-level, once groups are imported you will associate the ServiceNow app with the appropriate group to trigger auto-provisioning. Before we do that, we need to configure a few more things.

ServiceNow User Naming rule The ServiceNow username that Okta uses for SAML (and user provisioning when enabled) is determined under the “Single Sign-on” tab. If the default value is not correct, you can select a different naming rule. When Active Directory is enabled, our recommendation is typically email or SAMAccountname for most ServiceNow customers.

Configuring User Provisioning for ServiceNow Enabling user provisioning allows users to be created automatically by Okta. In particular, if Okta is integrated with your Active Directory or LDAP, you can auto-provision users based on new users showing up in your directory and control provisioning through security groups. The following steps will be needed:

1) Enable Provisioning in ServiceNow app. This connects Okta to ServiceNow, allowing Okta to use ServiceNow APIs to manage user creation, updates and deprovisioning.

2) Tie ServiceNow app to appropriate group(s) in Okta to trigger automated provisioning. Typically, you would do this with the imported Active Directory groups – effectively using AD group membership to drive ServiceNow provisioning.

For more information on Directory Integration and group-based provisioning, please go to “Importing and Using Group in Okta”.

Enable Provisioning in ServiceNow app To enable provisioning, go to your ServiceNow app and click on the “Provisioning” tab.

https://support.okta.com/entries/28774118-Installing-and-Configuring-the-Active-Directory-Agent

https://support.okta.com/entries/28774118-Installing-and-Configuring-the-Active-Directory-Agent

https://support.okta.com/entries/29704527-Configuring-Your-Active-Directory-Settings

https://support.okta.com/entries/92113353-Importing-and-Using-Groups-in-Okta




14

Check the “Enable provisioning features” to turn on provisioning. You will need to provide the ServiceNow admin username and password in order for Okta to access ServiceNow API for provisioning. In addition, a list of user attributes is available. If you are unsure about the values, accept the default. Click “Save” when completed.


15

Set up Group-based provisioning policy in Okta for ServiceNow The next step is to associate ServcieNow app with one or more Active Directory groups that have been imported into Okta. This will trigger auto-provisioning into ServiceNow based on AD group membership.

1) Go to the Okta Dashboard and navigate to People->Groups 2) Select the group that you want to use to drive ServiceNow provisioning. Depending on your AD setup,

Okta will only care about the users that have been imported from AD. (eg. If a user is not in an OU that Okta is importing from, his/her group membership will not trigger any kinds of activity in Okta)

3) Select “Manage Apps” option and add ServiceNow app as a member. Hit Next


16

4) Confirm Changes on the next screen. At this point, provisioning will be triggered.

Testing SAML As the Okta administrator, check that ServiceNow has been assigned to yourself and with the right username. You can manually modify the username to bypass the naming rule for testing purpose but we do strongly recommend that the correct naming rule be in place for better app assignment during onboarding. Once the right username is assigned to the administrator, go to the end user home page and click on the ServiceNow chiclet and you should be able to SSO into ServiceNow.

Testing Delegated Authentication from ServiceNow login page As part of the auto-configuration, ServiceNow instance is able to validate username/passwords for users that exists in Okta. This means that users can now also log into ServiceNow from the ServiceNow login page using their Okta credentials. If the user belongs to Active Directory or LDAP and Okta is integrated with the directory, then the user will be using their AD/LDAP credentials directly. Depending on your IT convention, you may instruct users to use either SAML or the ServiceNow login page to access ServiceNow. As best practice, we do recommend that you suggest only one or the other option to your end users to avoid confusion.

servicenow deployment guide - okta

Documents