Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here

Skyhigh Security

Integrate ServiceNow SSO with Okta using SAML

This topic describes the steps to achieve the ServiceNow SSO Integration with Okta using SAML.

NOTE: To use the IdPs such as ADFS and Okta, you must configure IdP in Servicenow. For details, see Configure IdP in ServiceNow.

Prerequisites   

Before you begin, make sure you have met the following prerequisites:

  • Access to a Skyhigh CASB tenant with a ServiceNow instance configured.
  • For IdP integration with Okta, you'll require:

Step 1: Create a New SAML Integration Application

To create a new SAML Integration Application:

  1. Log in to Okta as Admin.
  2. Go to Applications and click Add Application.
    clipboard_e6e4219d5cadc904224f86a53ea37ed03.png
  3. Click Create New App.
    clipboard_e1c0e01341f8e5cee8f648d326fd172ec.png
  4. In the Create a New Application Integration page, configure the following:
    • Select Platform as Web from the menu.
    • For Sign on method, click SAML 2.0
    • Click Create.
      clipboard_e867075a832c1cdb7b67405d05f37cdbc.png
  5. You are redirected to the wizard Create SAML Integration. Under General Settings, configure these fields:
    • Enter App name as ServiceNow.
    • For App logo, browse and upload the following image and click Upload Logo.
      snow.png
    • Click Next.
      clipboard_ec0149bfa0960fe07ec2f9e65470dc874.png
  1. Under Configure SAML, configure the following SAML Settings

NOTE: If you are performing Managed Device Check then add ?shnsaml at the end of the URL. For example, https://wwwservicenow.default.rkscorp.shnpoc.net/navpage.do?shnsaml. 

  • Activate the checkbox Use this for Recipient URL and Destination URL.
  • For Audience URI (SP Entity ID), enter the host name of the ServiceNow instance. For example, https://dev50825.service-now.com.
  • Select Name ID format as EmailAddress from the menu.
  • Select the Application username as Okta username from the menu.
  • Click Next.
    u2.png
  1. Under Feedback, configure the following:
    • Click I'm an Okta customer adding an internal app.
    • Activate This is an internal app that we have created.
    • Click Finish.
      clipboard_ef1c5d7d640857c76f480b584ebfde46f.png
      You have received the Okta application metadata link. 
  2. Click the Okta Application metadata link and go to Sign On. 
  3. Click the Identity Provider metadata link. The Okta metadata link looks similar to https://dev-192514.oktapreview.com/a.../saml/metadata. Save the link. Later, you can use this link in Step 2
    clipboard_e58aac8d36d00eb6951b454c910d94f23.png

Step 2: Configure Okta as Identity Provider in ServiceNow

To configure Okta, import the metadata directly to ServiceNow. 

  1. Log in to ServiceNow as Admin.
  2. Go to Multi Provider SSO and click Identity Providers.
  3. To create SAML, click New.
    clipboard_ecde90b819e3a870dab46b3662932bc6c.png
  4. In the Import Identity Provider Metadata dialog, click the URL radio button and enter the Okta metadata URL. For example, https://dev-192514.oktapreview.com/a.../saml/metadata. You can get the Okta metadata URL in Step 1.
    2.png
  5. Click Import.
  6. Once the import is completed, configure the following fields and click Update.
    3.png
  • Name. Enter the name of the identity provider. For example, Skyhigh CASB Okta.
  • Default. If you have selected only one identity provider, then you can activate this checkbox. Since this is an optional field, you can leave blank.
  • ServiceNow Homepage: Use your ServiceNow instance URL as input here. For example:  https://dev50825.service-now.com  
  • <ServiceNow Proxy URL>/navpage.do?

NOTE: If you are performing Managed Device Check, then append the parameter ?shnsaml at the end of the existing URL in the below format. For example,  https://wwwservicenow.default.rkscor...net/navpage.do?shnsaml. 

<ServiceNow Proxy URL>/navpage.do?<append parameter>
  • Under Encryption and Signing, configure these fields:
    • Sign LogoutRequest. Activate this checkbox.
    • Signing/Encryption Key Alias. Enter saml2sp.
    • Signing/Encryption Key Password. Enter saml2sp.

NOTE: If you prefer to create and upload your own signing certificate instead of the built-in SP certificate, see Generate a Server Certificate.

  1. Click Generate Metadata and copy the highlighted text <ds:X509Certificate> and </ds:X509Certificate></ds:X509Data>
    4.png
  2. Open a new text file and paste the copied texts. You need to add the certificate header and footer markers in the below format and save the file with an extension of pem.
    -----BEGIN CERTIFICATE-----
    Insert copied text
    ----END CERTIFICATE-----
    

For example, 

-----BEGIN CERTIFICATE-----
MIIB6TCCAVKgAwIBAgIET3twvTANBgkqhkiG9w0BAQUFADA5MQswCQYDVQQGEwJVUzEMMAoGA1UE
ChMDU05DMQwwCgYDVQQLEwNEZXYxDjAMBgNVBAMTBVNBTUwyMB4XDTEyMDQwMzIxNTA1M1oXDTIy
MDQwMTIxNTA1M1owOTELMAkGA1UEBhMCVVMxDDAKBgNVBAoTA1NOQzEMMAoGA1UECxMDRGV2MQ4w
DAYDVQQDEwVTQU1MMjCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAuYIDRhSA6HrPvb4GjSvO
XJqbKal3GpbzqOReVos0NRvNgILFTgp+gJbeKL7vAXlKDdVxS6JpZSNJmGVdQtJm9NHt8y8URJHg
t6/D6tybk5NSoAnfp2IK/Gne2md4dJ4w+aemErvcmyQW1TFnHD1kqbxd1atNttnmVEPhMIJZmmkC
AwEAATANBgkqhkiG9w0BAQUFAAOBgQAweyhbwOErpTPitOZUiQgpUfm6YPpr6IOMOcnPfWYg0wQH
MeKq/MmAdv5fcbp+qUfx3pQBOwIdk5Gfw47QIcKP9jYPQuir8l6toXahtmVvY8O6EKG5tIrYXX1k
mW+QQeQguclDMYl3u8u7+101PehkiLxJj53BwUaSn30D6Ol8aA==
-----END CERTIFICATE-----

Your ServiceNow certificate is created and save the certificate to use in Step 3.

Step 3: Import the ServiceNow Certificate to Okta

To import the ServiceNow Certificate to Okta:

  1. Log in to Okta as Admin.
  2. Go to Applications and click ServiceNow application.
    clipboard_eabf6ba87113e509db2415f82ff02904e.png
  3. Go to General wizard and under SAML Settings, click Edit.
    clipboard_eb61440e50e33e106f10640952a3d0440.png
  4. Under General Settings, click Next.
    You are redirected to the Configure SAML page.
  5. Click Show Advanced Settings.
  6. Under Signature Certificate, browse and upload the ServiceNow certificate created in Step 2 and click Next.
  7. Click Finish.

You have successfully configured Okta as Identity Provider in ServiceNow.

Optional: Configure SP Initiated SSO for Individual User

This configuration is mainly supported for individual users having the secondary IdP or for the user waiting to execute a controlled test.

  1. Go to Multi-Provider SSO > Identity Providers.
  2. Right-click the configured Identity Provider and click Copy sys_id. Save the sys_id value to use later.
    clipboard_eb7f3f992bd684b06527e4d8a093f6567.png
  3. Go to User Administration > Users.
  4. To test the ADFS or Okta integration, create a ServiceNow user that matches your Active Directory account.

NOTE:

  • For ADFS, the ServiceNow user email address should match with AD user email or UPN.
  • For Okta, the ServiceNow user email address should match with Okta Username.
  1. Go to the collapsed menu, select Configure, and click Form Design.
    p2.png

    You are redirected to the Form Design page. 
  2. Under Fields, search for SSO Source in the left pane.
  3. Drag and drop the SSO Source in the User[sys_user] form irrespective of the order.
    clipboard_e8e051d20a4843e8a5bd6ceac34891115.png
  4. Click Save.
  5. Refresh the User form of the test user or go to User Administration > Users and open the test user.
  6. For the SSO Source field, enter sso: and paste in the sys_id of the Identity Provider copied earlier. For example, sso: 7b8b1e944f131300d69400fe9310c.
    Picture33.png
  7. Click Update.
  • Was this article helpful?