Configuration Guides

Configuring SAML SSO with ServiceNow and PingOne for Enterprise

Learn how to configure SAML SSO with ServiceNow and PingOne for Enterprise

About this task

The following table details the required and optional attributes to be configured in the assertion attribute contract.

Attribute Name Description Required / Optional

NameID

NameID and format is configurable in ServiceNow. This guide uses email.

Required

The following table details the references that are used within this guide that are environment specific. Replace these with the suitable value for your environment.

Reference Description

tenant

The instance name for your ServiceNow tenant you want to integrate with PingOne for Enterprise.

Create a PingOne for Enterprise application for ServiceNow

  1. Sign on to PingOne for Enterprise and go to Applications → Application Catalog.

  2. Search for ServiceNow and then click the ServiceNow row.

    A screen capture of the PingOne Application Catalog tab. There is a search bar and button to browse applications that you want to add. The search entry contains servicenow. There is a list of the matching search results for ServiceNow, listed by an image of the application icon, Application Name, Type, and setup button, which looks like a black triangle pointing to the right, displayed in rows.

  3. Click Setup.

  4. Review the steps and make a note of the PingOne SaaS ID, IdP ID, Single Sign-on URL, and Issuer values.

    A screen capture of the 1. SSO Instructions section. There are fields for Signing Certificate and the Download option, Saas ID, IdP ID, Initiate Single Sign-On (SSO) URL, and Issuer.

  5. Click Continue to Next Step.

  6. Verify the following:

    • ACS URL is set to https://tenant.service-now.com/navpage.do.

    • Entity ID is set to https://tenant.service-now.com.

    A screen capture of the 2. Connection Configuration section. The sentence introduction is Assign the attribute values for single sign-on (SSO) to the application. There are fields for Upload Metadata, ACS URL, Entity ID, Target Resource, Single Logout Endpoint, Single Logout Response Endpoint, Primary Verification Certificate with the Choose File button, Secondary Verification Certificate with the Choose File button, and a Force Re-authentication check box, which is cleared.

  7. Click Continue to Next Step.

  8. In the Attribute Mapping section, in the Identity Bridge Attribute or Literal Value column of the SAML_Subject row, select a suitable attribute, such as SAML_SUBJECT.

    A screen capture of the 3. Attribute Mapping section. The sentence introduction is Map your identity bridge to the attributes required by the application. The mapping attribute fields are Application Attribute, Description, and Identity Bridge Attribute or Literal Value. The fields have default entries for Application Attribute and Description. The Identity Bridge Attribute or Literal Value field requires an entry from the user and has a As Literal check box, which is cleared. There are Add new attribute, Cancel, Back, and Continue to Next Step buttons.

    NameID is configurable in ServiceNow.

    This guide assumes email is used and that SAML_SUBJECT contains the email address for the user in PingOne for Enterprise.

  9. Click Continue to Next Step.

  10. Update the Name, Description, and Category fields as required.

    A screen capture of the 4. PingOne App Customization – ServiceNow section. There are fields for Icon with a Select Image button, Name, Description, and Category. At the bottom of the section, on the left side is the text, NEXT: Group Access and on the right side is the Cancel, Back and Continue to Next Step buttons.

  11. Click Continue to Next Step.

  12. Add suitable user groups for the application.

    A screen capture of the 5. Group Access section. The sentence introduction is Select all user groups that should have access to this application. Users that are members of the added groups will be able to SSO to this application and will see this application on their personal dock. There is a search bar and a Search button. There is a list showing results for Groups listed by Group Name. Each entry has the Group Name and a Remove button. At the bottom of the section, on the left is NEXT: Review Setup, and on the right is the Continue to Next Step button.

  13. Click Continue to Next Step.

  14. Review the settings.

    A screen capture of the 6. Review Setup section. The section introduction is Test your connection to the application. There are fields for Icon, Name, Description, Category, Connection ID, saasid, idpid, Issuer, Signing, Signing Algorithm, and Encrypt Assertion.
    A screen capture of the 6. Review Setup section. There are fields to review for Single Sign-On (SSO) Relay State, Single Logout Endpoint, Single Logout Response Endpoint, Force Re-authentication, Signing Certificate, SAML Metadata, SAML Metadata URL, and a list of the existing Mapped Application Attributes. There are Back and Finish buttons.

  15. Copy the Single Sign-On (SSO) URL value to a temporary location.

    This is the IdP-initiated SSO URL that you can use for testing.

    Make a note of the following values. You’ll use them later in the ServiceNow configuration:

    • PingOne for Enterprise Issuer

    • PingOne for Enterprise idpid

  16. On the SAML Metadata line, click Download.

    You will use this later for the ServiceNow configuration.

  17. On the Signing Certificate line, click Download.

    You will use this later for the ServiceNow configuration.

  18. Click Finish.

    A screen capture of the My Applications section. The section introduction is Applications you’ve added to your account are listed here. You can search by application name, description or entity ID. A bulleted list of 2 sentences follow: Active applications are enabled for single sign-on (SSO) and Details displays the application details. Below this is a list of all the added applications, listed by application icon, Application Name, Type, Status, Enabled, which is a toggle switch, and the Remove button with a setup icon, which is a black triangle turned to the right. At the bottom of the section, on the left side is the Add Application button, and on the right side is the Pause All SSO button.

Configure the PingOne for Enterprise IdP connection for ServiceNow

  1. Sign on to ServiceNow as an administrator.

  2. Activate SAML 2.0:

    1. Go to System Applications.

    2. Click All Available Applications.

    3. Click All.

    4. Locate the Integration - Multiple Provider Single Sign-On Installer plugin.

      If you can’t find the plugin, you can request it from ServiceNow customer support.
      A screen capture of the Service Now admin console in the System Application section. In the navigation bar, System Applications, All Available Applications with the All option are highlighted. The All Applications search results are showing results for sign-on. The Integration – Multiple Provider Sign-on Installer section is highlighted. The section has an installed button, which indicates the plugin is installed.

    5. Check if the plugin is installed. If the plugin is not installed, click Install.

      A screen capture of the System Plugin section. There are fields for ID, Name, Version, Provider, Status, which is highlighted, Has demo data with a selected checkbox, Help, Requires, and Description.

  3. Configure a new identity provider:

    1. In the left navigation pane, select Multi-Provider SSO.

      A screen capture of the Identity Providers section, In the left navigation pane, Multi-Provider SSO and Identity Providers are highlighted and selected. In the Identity Providers page, The New button, which is green, is selected and highlighted.

    2. Click Identity Providers.

    3. Click New.

    4. Click SAML.

      A screen capture of the Identity Providers section, where you add a new SSO Identity Provider. The section introduction is What kind of SSO are you trying to create? There are 3 options to choose from: Digest, SAML, and OpenID Connect. The SAML option is highlighted.

    5. Click XML.

    6. Paste the contents of the PingOne for Enterprise metadata file that you previously downloaded into the Enter the XML field.

      A screen capture of the Import Identity Provider Metadata dialog in the 3. Entering metadata manually by closing this popup section. There are two radio buttons, URL and XML. The XML radio button is clicked. The Enter the XML field contains pasted XML metadata. There are two buttons, Cancel and Import, which is green.

    7. Update the NameID Policy to urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified.

    8. Click Update.

    9. Click Test.

      A browser window opens to validate the configuration. It prompts you to authenticate at the IdP and then sign out of the session. If successful, you can then activate the connection.

    10. Click Activate.

    If you receive an error stating that you must test the connection, something failed in the test. Validate the settings, and use the Script Debugger → Debug log to re-run the test to determine the cause of the failure.

    A screen capture of the Identity Provider create new section. There are fields for Name, Default, Active, and Auto Redirect IdP, which are all check boxes, Identity Provider URL, Identity Provider’s AuthnRequest, Identity Provider’s SingleLogoutRequest, ServiceNow Homepage, EntityID / Issuer, Audience URI, NameID Policy, and External logout redirect.

Test the PingOne for Enterprise IdP-initiated SSO integration

  1. Go to the Single Sign-On (SSO) URL from the PingOne for Enterprise application configuration to perform IdP-initiated SSO.

    For example, https://sso.connect.pingidentity.com/sso/sp/initsso?saasid=saasid&idpid=idpid

    A screen capture of the Ping Identity Sign On page. The page has the Username and Password fields, which are blank. Below these fields is the Remember Me check box, which is cleared, the Sign On button, and the Forgot Password link.
    A screen capture System Administration dashboard. The dashboard has settings by icons for Guided Setup, System Security, Business Logic, Create and Deploy, Data Management, Diagnostics, Email, Homepages, and Integration.

Test the PingOne for Enterprise SP-initiated SSO integration

  1. Go to your ServiceNow URL.

    For example, https://your-environment.service-now.com

    A screen capture of the PingOne Sign On page. The page has the Username and Password fields, which are blank. Below these fields is the Remember Me check box, which is cleared, the Sign On button, and the Forgot Password link.
    A screen capture of the ServiceNow sign on page. There are the Username and Password fields, a Login button, and a Use external login link, which is highlighted.

  2. Click Use external login.

    A screen capture of the ServiceNow External login page. There is a User ID field, a Use local Login link, and a Submit button, which is highlighted.

  3. Click Submit.

  4. Click Continue.

    You’re redirected to PingOne for Enterprise for authentication.

  5. After you’re redirected to PingOne for Enterprise, enter your PingOne username and password.

    A screen capture of the PingOne Sign On page. The page has the Username and Password fields, which are blank. Below these fields is the Remember Me check box, which is cleared, the Sign On button, and the Forgot Password link.
    A screen capture System Administration dashboard. The dashboard has settings by icons for Guided Setup, System Security, Business Logic, Create and Deploy, Data Management, Diagnostics, Email, Homepages, and Integration.