Symantec SiteMinder: Federating ServiceNow

This guide is designed to explain how to establish a federation partnership with ServiceNow in Symantec SiteMinder. 

Prerequisites

  • Federation capabilities are deployed in the SiteMinder Environment
  • Protection policies for federation authentication URLs are in place.
  • You have access to manage ServiceNow
  • Identity Provider Signing Certs are already in place on the Policy Server
  • The Multi-Provider SSO plugin is installed in ServiceNow.

Tasks

  1. Set up and exchange metadata
  2. Complete the Partnership
  3. Test and Activate

Task 1 – Setting up the SiteMinder Entities

  1. Log in to your SiteMinder Admin UI and Navigate to the Federation Entities section.

  2. If you do not currently have an IDP Entity created, we need to create one. Create a local IDP Entity and fill out your base URL and Name ID Format information. The base URL is whatever URL your federation agent is listening on and if you are unsure what Name ID format to use, just accept the default unspecified.
  3. Now that we have an IDP Entity, click on the entity and export the metadata.
  4. Name the partnership and complete the export.
  5. Open the XML file and copy the contents. We will paste the XML into ServiceNow in the next few steps.
  6. In ServiceNow, navigate to the Multi-Provider SSO -> Identity Providers section.
  7. Click New to add a new identity provider and click SAML.
  8. Select the XML Import option and paste the IDP Metadata that you copied into that field and submit it.
  9. This will automatically generate the Identity Provider configurations and import the certificates.
  10. Now that we have the IDP in both locations, we can export the metadata from ServiceNow. In the IDP we imported, click on the Generate Metadata button. Copy it into a file and save it as an XML.
  11. In the Entity section of the SiteMinder Admin UI, import metadata, and choose the file we made from the ServiceNow metadata.

Task 2 – Setting up the Partnership

Now that the entities have been created, we need to complete the incomplete partnership that was generated when we generated our IDP metadata.

  1. Modify the ServiceNow partnership to add the SP entity for ServiceNow.
  2. Complete the partnership using the default settings from the entities, then activate the partnership.
  3. In the ServiceNow portal, open the Identity Providers page again and right click on our IDP. Copy the sys_id.
  4. Now find the user management screen, create a user that you want to federate with, and modify the form layout to add a field for the value “SSO Source.”
  5. Now that we have the SSO Source field available, we need to add the string sso: followed by the IDP ID that we copied.
  6. Finally, go to the Multi-Provider SSO -> Administration -> Properties tab and check the enable SSO box. You may need to change the identifying field on this screen from “user_name” to the field that you’re using to associate users between partners. I used email.

Task 3 – Testing and Activating the Partnership.

ServiceNow will not allow you to activate any of the Identity Providers until that Identity Provider has passed the connection test successfully.

  1. Open up the page in ServiceNow for your IDP and click the Test Connection button.
  2. The test will open a small browser window and try to establish connection via the partnership.
  3. After you provide your credentials, you may need to perform the test a second time. It has never functioned properly for me on the first attempt, so don’t panic. You should see a results page that looks like this on a success.
  4. Now that the test was successful, we can toggle the Identity Provider into the activated state.

Wrapping Up

That completes the setup for the partnership between SiteMinder and ServiceNow. There are a few things to note though. The example/method that I used in this guide worked under the assumption that we were allowing federation on an individual user basis. You can establish groups or organizations as valid federation users by using the same method that we did for the user by adding the SSO Source field to the screen and using sso:IDPsys_id. 

If you run into issues when testing the connection with the user from the assertion not being found in ServiceNow, I recommend taking a look at the User Field area under the advanced settings for the Identity Provider. Additionally, other issues have been catalogued and documented here.

Looking for additional help with federating ServiceNow? ISX is an elite IAM security firm that offers boundless expertise in a range of cybersecurity and business process services, including Symantec SiteMinder. Take your interoperability to the next level, and contact an ISX consultant today.

ISXSymantec SiteMinder: Federating ServiceNow

Leave a Reply

Your email address will not be published. Required fields are marked *