servicenow - centrify · 13 servicenow note if you’re trying to co nfigure the current version of...

ServiceNow

Note If you’re trying to configure the current version of ServiceNow (Jakarta), you’re in the right place. If you’re trying to configure one of the previous versions of ServiceNow (Fuji, Geneva, Helsinki, or Istanbul), see the Centrify configuration guide for ServiceNow (previous versions). If you don’t know what version you have, you can find it on the Stats > Stats page in your ServiceNow instance.

With Centrify as your identity service, you can choose single-sign-on (SSO) access to the ServiceNow web application with IdP-initiated SAML SSO (for SSO access through the Centrify user portal) or SP-initiated SAML SSO (for SSO access directly through the ServiceNow web application) or both. Providing both methods gives you and your users maximum flexibility.

ServiceNow integrations include single sign-on (SSO) with built-in multi-factor authentication (MFA), and automated provisioning and de-provisioning of users based upon role membership within the source directory.

ServiceNow integrations are included with your Centrify Identity Services license.

If ServiceNow is the first application you are configuring for SSO through Centrify Identity Services, read these topics before you get started: Introduction to application management

Configuring Single Sign-On (SSO)

Continue with ServiceNow SSO Requirements.

ServiceNow SSO Requirements Your own domain registered and verified with ServiceNow. For example, you have a

login URL such as https://acme.service-now.com.

An active ServiceNow account with administrator privileges.

A test user created in the Centrify Identity Services Admin Portal. For more information about creating users and roles, see Centrify Admin Portal online help.

A signed certificate in PEM format. You can either download the standard certificate from Admin Portal or use your organization’s trusted certificate.

This process enables the Multiple Provider SSO plugin in ServiceNow. For details, see Configuring ServiceNow for SSO. If you already have the plug-in enabled, you can skip that step.

13

https://docs.centrify.com/en/centrify/adminref/


Continue with Adding and Configuring ServiceNow in Admin Portal.

Adding and Configuring ServiceNow in Admin PortalNote If you’re trying to configure the current version of ServiceNow (Jakarta), you’re in the right place. If you’re trying to configure one of the previous versions of ServiceNow (Fuji, Geneva, Helsinki, or Istanbul), see the Centrify configuration guide for ServiceNow (previous versions). If you don’t know what version you have, you can find it on the Stats > Stats page in your ServiceNow instance.

To add and configure the ServiceNow SAML + provisioning app in Admin Portal:

1 In Admin Portal, click Apps, then click Add Web Apps.

The Add Web Apps screen appears.

2 On the Search tab, enter the partial or full application name in the Search field and click the search icon.

3 Next to the application, click Add.

4 In the Add Web App screen, click Yes to confirm.

Admin Portal adds the application.

5 Click Close to exit the Application Catalog.

The application that you just added opens to the Settings page.

6 Click the Trust page to begin configuring the application.

• 14

The UI is evolving in order to simplify application configuration. For example, many of the settings previously found on the Application Settings page are now on the Trust page. You might have to select Manual Configuration to expose those settings, as shown in the following example.

Any previously configured applications retain their configuration and do not require reconfiguration. If you are configuring an application for the first time, refer to the Trust page for any settings previously found on the Application Settings page.

In addition, the description of how to choose and download a signing certificate in this document might differ slightly from your experience. See Choose a certificate file for the latest information.

Admin Portal user’s guide 15

7 Specify the following parameters:

8 Create and enable a test user, then assign a role to them and select that role on the User Access page for your ServiceNow app.

Note See the Centrify Admin Portal online help for more information about creating users and creating roles.

9 Keep this browser window open for use later in the configuration process.

10 See Configuring ServiceNow for SSO to continue.

Configuring ServiceNow for SSONote If you’re trying to configure the current version of ServiceNow (Jakarta), you’re in the right place. If you’re trying to configure one of the previous versions of ServiceNow (Fuji, Geneva, Helsinki, or Istanbul), see the Centrify configuration guide for ServiceNow (previous versions). If you don’t know what version you have, you can find it on the Stats > Stats page in your ServiceNow instance.

The following steps are specific to the ServiceNow application and are required in order to enable SSO for ServiceNow. For information on optional Centrify Admin Portal configuration settings that you may wish to customize for your app, see Optional configuration settings.

To configure ServiceNow for SSO:

1 Open a new tab in your web browser.

Note It is helpful to open the ServiceNow web application and the Centrify Admin Portal Application Settings window simultaneously to copy and paste settings between the two browser windows.

2 Go to your ServiceNow login URL. For example, you have a login URL such as https://acme.service-now.com where acme is your company instance name.

Option Required or optional

Set it to Description

Your ServiceNow Instance Name

Required [your ServiceNow instance name]

Enter your ServiceNow instance. For example, if you login to ServiceNow using https://acme.service-now.com, enter acme.

Encrypt Assertion Optional Checked or unchecked. To use an encryption certificate: check this box, then choose a certificate file to use.

• 16

https://docs.centrify.com/en/centrify/adminref/#page/cloudhelp%2FManaging_roles.1.html%23

https://docs.centrify.com/en/centrify/adminref/#page/cloudhelp%2Fcloud-admin-users.html%23



https://docs.centrify.com/en/centrify/adminref/#page/cloudhelp%2FManaging_roles.1.html%23




Note This process enables the Multiple Provider SSO plugin in ServiceNow. For details, see Configuring ServiceNow for SSO. If you already have the plug-in enabled, you can skip to Step 11.

3 In the left pane, search for plugins.

4 Click Plugins in the search results.

5 In the System Plugins window, search for integration.

6 Click on Integration - Multiple Provider Single Sign-On Installer in the list of search results.


7 Click the Activate/Upgrade link.

8 Click the Activate button to confirm, and wait for the Plugin Activation progress bar to finish.

9 Click the Close & Reload Form button.

10 Click the X to clear the Filter Navigator.

11 Search for x509 in the Filter Navigator, and click x509 Certificate under Multi-Provider SSO.

12 Click the New button.

13 Configure the following. Any fields not listed in this table require no action by you.

The red arrows in the table below indicate the direction of the copy and paste operation between the two windows. For instance, the first arrow in the table below indicates that

• 18

you copy the content from the indicated field in the Centrify Identity Services Admin Portal and paste it into the corresponding field on the ServiceNow Company Dashboard.

14 Click Submit.

15 Use the Filter Navigator to search for SSO, and click Identity Providers under Multi-Provider SSO.

16 Click New to create a new Identity Provider.

17 Click SAML to select the type of Identity Provider to create.

18 Click Cancel when prompted to import metadata.

19 Configure the following. Any fields not listed in this table require no action by you.

Admin Portal >Application Settings

Copy/Paste

Direction

ServiceNow Company Dashboard

What you do

N/A Name Enter SAML 2.0 as the name.

N/A Format Make sure that the PEM format is selected.

N/A Active Make sure the Active check box is selected.

Download PEM Certificate Note: For ServiceNow, your certificate needs to be in PEM format. If you download the certificate from the Admin Portal, you must convert it to PEM format before you can use it in the ServiceNow application web site.

To download the certificate and convert it to PEM format:

1. Click the Download button on the Application Settings page in Admin Portal.

2. Open the certificate file in a text editor.

3. Copy the contents of the file and paste it into PEM Certificate.


Copy/Paste

Direction


What you do

N/A Name Enter the name you want to use for the IdP (for example, Centrify-AABX567).

N/A Default (Optional) Select this check box if you want to enable SP-initiated SSO.

Identity Provider URL which will issue the SAML2 security token

Identity Provider URL Choose one of the following:• To enable SP-initiated SSO, copy the contents of the

Identity Provider URL which will issue the SAML2 security token from the Application Settings page in the Admin Portal and paste it here.

• For IdP-initiated only, enter another URL.


20 On the same Identity Providers page, scroll down and click the Advanced tab and configure the following.

Identity Provider's AuthnRequest service

Identity Provider's AuthnRequest

To enable SP-initiated or IdP-initiated SSO, copy the Identity Provider’s AuthnRequest service in Admin Portal and paste it here.

Identity Provider's SingleLogoutRequest service

Identity Provider's SingleLogoutRequest

Choose one of the following:

• If you want users to log out of the user portal when they log out of ServiceNow, copy the URL from the Identity Provider’s SingleLogoutRequest service in the Admin Portal and paste it here.

• If you want to keep users logged into the user portal after they log out of ServiceNow, enter a different URL or leave this field blank.

N/A ServiceNow Homepage Replace <yourinstance> in the URL in this field with your company instance name

N/A Entity ID / Issuer Replace <yourinstance> in the URL in this field with your company instance name

N/A Audience URI Replace <yourinstance> in the URL in this field with your company instance name

N/A NameID Policy Replace the default value of the NameID Policy field with:urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

N/A External logout redirect Use the default value.

Identity Provider's AuthnRequest service

Failed Requirement Redirect Copy from Identity Provider’s AuthnRequest service in Admin Portal and paste here.


Copy/Paste

Direction

ServiceNow Company Dashboard > Identity Providers page

What you do

N/A User Field Set to how your assertion is constructed, for example email or user_name.

Note: If you change this setting, make sure that it matches the attribute used for user account mapping in the ServiceNow application settings.

Note: If you change this setting, you have to also change the last part of the NameID policy to match the attribute.

N/A Single Sign-On Script Click the magnifying glass and select the MultiSSO_SAML2_Update1 script.

N/A NameID Attribute Leave empty.


Copy/Paste

Direction


What you do

• 20

21 Click Submit.

22 Click on the identity provider that you just created.

23 Click Test Connection and sign in with the test user account you created in the Centrify Admin Portal.

Note If you receive connection error messages, see sections 4.4 and 4.5 on https://wiki.servicenow.com/index.php?title=Multiple_Provider_Single_Sign-On# for more information about testing the connection and troubleshooting connection errors.

24 Clear the Filter Navigator, search for Properties, and click Properties under Multi-Provider SSO Administration.

25 Configure the following.

26 Click Save.

27 Log out of your ServiceNow account.

N/A Clock Skew Provides a buffer on the valid period of the SAML token. Recommended value: 60. When set to 60, this provides a 60-second buffer when the token is valid before the notBefore constraint and after the notOnOrAfter constraint.

N/A Create AuthnContextClass (Optional) If selected, ServiceNow requires that you present a specific login mechanism such as a form, Kerberos, etc., to create an AuthnContextClass request in the AuthnRequest statement.

N/A Protocol Binding for the IDP's SingleLogoutRequest

Use the default value.

N/A AuthnContextClassRef Method (Optional) Use the default value.

N/A Force AuthnRequest Leave unselected.

Unselected N/A Is Passive AuthnRequest? Leave unselected.


Copy/Paste

Direction


What you do

N/A Enable multiple provider SSO Select the Yes | No check box.

N/A Enable debug logging for the multiple provider SSO integration

(Optional) Select the Yes | No check box.

N/A The field on the user table that identifies a user accessing the “User identification” login page

Use the default.


Copy/Paste

Direction


What you do


https://wiki.servicenow.com/index.php?title=Multiple_Provider_Single_Sign-On#




28 (Optional) To configure the ServiceNow application for automatic provisioning, see ServiceNow provisioning.

ServiceNow provisioningNote Before configuring the ServiceNow application for provisioning, you must install, configure, and deploy the app.

Note If you’re trying to configure the current version of ServiceNow (Jakarta), you’re in the right place. If you’re trying to configure one of the previous versions of ServiceNow (Fuji, Geneva, Helsinki, or Istanbul), see the Centrify configuration guide for ServiceNow (previous versions). If you don’t know what version you have, you can find it on the Stats > Stats page in your ServiceNow instance.

Introduction and overview of ServiceNow provisioning

For ServiceNow, the overall work flow of configuring provisioning is as follows.

Configuring ServiceNow for automatic user provisioning (an overview):

1 You prepare your ServiceNow account for provisioning.

Prior to configuring provisioning in your ServiceNow application, you need to install the Centrify Identity Services app and activate the Multiple Provider Single Sign-On Installer plugin. For details see Installing the Centrify Identity Services app for ServiceNow.

The user account that you’ll use to configure provisioning has to either be a member of the x_cenr3_centrify_u.centrify_admin role or be granted specific access permissions. For details, see Configuring ServiceNow for Provisioning

2 In Admin Portal, you configure the ServiceNow application for automatic user provisioning:

Add and configure the ServiceNow application for single sign-on.

In the ServiceNow application, you enable provisioning.

You add the ServiceNow administrator credentials.

You add the role mappings and specify how to handle updates to existing ServiceNow user accounts.

3 Make sure that provisioning is working as desired.

Run preview synchronizations in Admin Portal, review the synchronization reports, and review the list of users in ServiceNow. Make changes as needed to get the desired provisioning results.

4 Continue with Installing the Centrify Identity Services app for ServiceNow.

• 22

Installing the Centrify Identity Services app for ServiceNow

In order to configure ServiceNow provisioning, you need to first install the Centrify Identity Services app available in the ServiceNow app store.

To install the Centrify Identity Services app

1 Go to the ServiceNow app store and search for Centrify Identity Services:https://store.servicenow.com

2 Click the Centrify Identity Services app.

3 Click Get to make the Centrify Identity Services app available for your ServiceNow instances.

4 Go to the ServiceNow instance, select System Applications > Applications > Downloads to locate the app then click Install to install the app.

5 (Optional) In ServiceNow, create a user with role x_cenr3_centrify_u.centrify_admin, whose credentials are used for configuring ServiceNow provisioning in Centrify Identity Services Admin Portal.

You can skip this step if you use the admin in ServiceNow directly to configure ServiceNow provisioning.

Note If you haven’t done so already, you must also activate the Multiple Provider Single Sign-On Installer plugin.

For activation information, see the instructions in Activating Multiple Provider Single Sign-On on the following ServiceNow page:

http://wiki.servicenow.com/index.php?title=Multiple_Provider_Single_Sign-On#Activating_Multiple_Provider_Single_Sign-On

Continue with Configuring ServiceNow for Provisioning.

Configuring ServiceNow for Provisioning

The ServiceNow user account that you use to configure provisioning must have a x_cenr3_centrify_u.centrify_admin provisioning administrator role or be assigned to a role with the following settings: Import Set User (imp_user): create access.

Table User (sys_user): read access.

Import Set User Role (imp_user_role): create access.

Table User Role (sys_user_has_role): read access.

Table Roles (sys_user_role): read access. soap, import_admin, import_transformer.






Note The provisioning admin role x_cenr3_centrify_u.centrify_admin is automatically installed along with the Centrify Identity Services app on ServiceNow.

Configuring ServiceNow for automatic provisioning:

1 In a new browser tab, go to your ServiceNow login URL. For example, you have a login URL such as https://acme.service-now.com where acme is your company instance name.

2 In the left pane, click User Administration > Users.

3 Click New.

4 Specify the following:

5 Click Submit.

6 Click the user you just created in the list of users.

7 Scroll down and click Edit in the Roles section.

8 Search for x_cenr3_centrify_u.centrify_admin and select it.

9 Click > to add it to the Roles list.

10 Click Save.

11 In the left pane, click System Definition > Tables.

12 Search for User Role and select it.

13 Select the State Column Label under Table Columns.

14 Scroll down to Choices and click New.

15 Enter Inactive for the Label and Inactive for the Value.

16 Click Submit.

17 (Optional) Continue with (Optional) Customizing the Import Set Web Services of Centrify Identity Services.

18 Continue with Configuring ServiceNow in Admin Portal for automatic provisioning.

Option Set it to What you do

Email The email address for this account

Active Checked Leave the box checked.

Remaining fields Optional Fill in the remaining fields as desired.

• 24

(Optional) Customizing the Import Set Web Services of Centrify Identity Services

By default, ServiceNow provisioning syncs 8 user fields: email, first_name, home_phone, last_name, mobile_phone, phone, user_name, and roles. If you want to customize this list, you must do so both in the Centrify Identity Service > Centrify User page of your ServiceNow configuration web page, and also in Admin Portal.

(Optional) Customizing the Import Set Web Services of Centrify Identity Services

1 In the left pane, click Centrify Identity Services > Centrify User.

2 Add/remove Web Service Fields as desired.

3 Edit/add/remove Web Service Transformation Maps as desired.

Note This setting decides how fields of the import set table are mapped to the system User table. Coalesce should be set to false for all field maps except user_name, and Choice action should be set to ignore for all field maps with non-string Target fields.

4 If you want to sync any additional fields, modify the provisioning script in Admin Portal.

Note The provisioning script is intended for advanced users who are familiar with editing server-side JavaScript code.

Configuring ServiceNow in Admin Portal for automatic provisioning

To configure ServiceNow in Admin Portal for automatic provisioning:

1 Click the Provisioning tab in the Centrify Identity Services Admin Portal.

2 Select Enable provisioning for this application.

3 Select either Preview Mode or Live Mode.

Preview Mode: Use Preview Mode when you’re initially testing the application provisioning or making configuration changes. The identity platform does a test run to show you what changes it would make but the changes aren’t saved.

Live Mode: Use Live mode when you want to use application provisioning in your production system. The identity platform does the provisioning run and saves the changes to both the identity platform and the application’s account information.

4 Enter the following information for the main provisioning details:

Field Description

Account Name Enter the name of your account with ServiceNow.

Admin Name Enter your ServiceNow Administrator user name. This user can either be a member of the Administrator role in ServiceNow, or have the required permissions.

Admin Password Enter the password for the ServiceNow administrator.


5 Click Verify to have the Admin Portal verify the connection and save the provisioning details.

6 Continue with Provisioning users for ServiceNow based on roles.

Provisioning users for ServiceNow based on roles

Here you specify a Admin Portal role and specify that users in that role will be matched to existing or new accounts in ServiceNow with the destination roles that you specify. For ServiceNow, you can assign one Admin Portal role to multiple ServiceNow roles.

When you change any role mappings, the Admin Portal synchronizes any user account or role mapping changes immediately.

Note ServiceNow single sign-on uses the email address to uniquely identify user accounts, whereas the ServiceNow provisioning API uses the user name to determine whether an account is unique or a duplicate. This is only an issue if two or more ServiceNow user accounts have the same email address, in which case ServiceNow logs the user in with the first account that matches.

Notes How the Admin Portal determines duplicate user accounts:

If the user accounts in the Admin Portal and the target application match for the fields that make a ServiceNow user unique, then the Admin Portal handles the user account updates according to your instructions. In many applications, the user’s email address or Active Directory userPrincipalName is the primary field used to identify a user—and in many cases, the userPrincipalName is the email address. You can look at the application’s provisioning script to see the fields that the Admin Portal uses to match user accounts.

To automatically provision users with ServiceNow accounts:

1 First, make sure that you’ve entered and verified the provisioning credentials.

2 In the Provisioning page, go to the Sync Options section.

3 Specify how the directory service handles situations when it determines that the user already has an account in the target application.

Sync (overwrite): Updates account information in the target application (this includes removing data if the target account has a value for a user attribute that is not available from the Centrify Identity Services).

Do not sync (no overwrite): Keeps the target user account as it is; Centrify Identity Services skips and does not update duplicate user accounts in the target application.

Do not de-provision (deactivate or delete): The user's account in the target application is not de-provisioned when a role membership change that would trigger a de-provisioning event occurs.

• 26

Select Deprovision users in this application when they are disabled in source directory to enable the feature.

If checked, a user will be deprovisioned when they are marked as disabled in the source directory. Deprovisioning behavior and available deprovisioning options depend on what the target application supports.

4 Scroll to the Role Mappings section.

5 To add role mappings and specify which users get provisioned to this application, click Add.

The Role Mapping dialog box opens.

6 To map user accounts in Admin Portal to ServiceNow user accounts, select a Role (the ones in Admin Portal) and a Destination role (the ones in ServiceNow).

Tip For best results, assign roles where users are only in one role.

Note For ServiceNow user provisioning, you can assign a Admin Portal role to multiple ServiceNow roles, if desired.

7 Click Done to save the role mapping and return to the Provisioning page.

8 Continue adding role mappings, as desired.

To change a mapping, select the role mapping and click Actions > Modify.

To remove a mapping, select the role mapping and click Actions > Delete.

To change the order of the role mappings, select the role mapping that you want to move higher in the list and click Actions > Move Up.

Tip Provisioning assigns users access and assignments based on the top-most role mapping. The order in which the roles display in the Role Mappings section matters. The role at the top of the list has priority when provisioning users. For instance, if a user is in multiple roles that you’ve mapped for provisioning, the Admin Portal provisions the user based on the role nearer the top of the list. For best results, assign roles where users are only in one role. If users are in multiple roles, rearrange the order of role mappings as desired. For more details, see Setting up app-specific provisioning.

Note The provisioning script is intended for advanced users who are familiar with editing server-side JavaScript code.

9 When you’re done, click Save to save the provisioning details.

Anytime that you make changes to the provisioning role mapping, the Admin Portal runs a synchronization automatically. You can also run a preview synchronization or a real synchronization, if desired.


ServiceNow Password Reset configurationNote If you’re trying to configure the current version of ServiceNow (Jakarta), you’re in the right place. If you’re trying to configure one of the previous versions of ServiceNow (Fuji, Geneva, Helsinki, or Istanbul), see the Centrify configuration guide for ServiceNow (previous versions). If you don’t know what version you have, you can find it on the Stats > Stats page in your ServiceNow instance.

You must complete the steps in Configuring ServiceNow for SSO, Adding and Configuring ServiceNow in Admin Portal, and ServiceNow provisioning before proceeding with the instructions in this section.

This following is an overview of the steps required to configure the ServiceNow web application section for provisioned users to reset their passwords from within the ServiceNow app.

Note To use the password reset function, the login authentication policy must be configured to request passwords only (multi-factor authentication must not be enabled in order to use the password reset function). Check the authentication policy controls in the Admin Portal > Core Services > Policies > User Security Policies > Login Authentication.

To configure ServiceNow password reset settings on your ServiceNow domain (an overview)

1 Install and configure the ServiceNow app.

Install the ServiceNow web application in Admin Portal. Configure the ServiceNow app in Admin Portal and on your registered and verified ServiceNow domain. See the Centrify Identity Services application configuration guide for ServiceNow for more information.

2 Configure password reset settings on your ServiceNow domain.

See Configuring ServiceNow for password reset for more information.

Configuring ServiceNow for password reset

Before configuring ServiceNow for password reset, the ServiceNow password reset plugin must be installed. For more information about this plugin, see http://wiki.servicenow.com/index.php?title=Password_Reset.

There are two types of password reset processes: Self service password reset for the ServiceNow app in Admin Portal: the user can go to

their ServiceNow password reset URL and change their own password.

For more information, see Configuring password reset for the ServiceNow app.

Service desk password reset for the ServiceNow app in Admin Portal: an account manager or administrator resets a user’s password from their ServiceNow admin portal.

• 28

http://wiki.servicenow.com/index.php?title=Password_Reset




For more information, see Configuring password reset for the ServiceNow app.

To install the password reset plugin:

1 In your web browser, go to your ServiceNow login URL and log in. For example, you have a login URL such as https://acme.service-now.com where acme is your company instance name.

2 Click System Definition > Plugins.

3 Search for Password Reset.

4 Click on the Password Reset plugin.

5 Click Activate.

Configuring password reset for the ServiceNow app

To configure user self-service password reset:

1 In your web browser, go to your ServiceNow login URL and log in. For example, you have a login URL such as https://acme.service-now.com where acme is your company instance name.

2 Click the gear icon at the top right to open Settings.

3 Scroll down to Application and select Centrify Password Reset.

4 In the left pane, click Centrify Password Reset > Properties.

5 Enter the URL of the Centrify cloud.

6 Enter the Admin name and Admin password for the Admin Portal administrator.

7 Click Save.

8 Go to Password Reset > Credential Stores > Centrify Cloud.

9 Click Save & Test Connection to verify whether the connection is configured correctly.

10 In the left pane, click Password Reset > Processes.

11 Click Employee Self-Service Process for Centrify.


12 Under Password Reset Details, make sure that all of these options are checked:

13 To provide your users with a password reset URL:

a Make sure the Public access box is checked.

b Specify the URL suffix for your password reset URL.

Note You can direct your users to your password reset URL when they need to reset their passwords. This URL is automatically generated if the Public access box is checked, and is based on the value you specify as your URL suffix.

14 (Optional) To see which verification is used, scroll down to the Verifications list in the Advanced section. You can change the verifications used if desired.

15 Click Update.

16 In the left pane, click Password Reset > Processes.

17 Click Service-Desk Password Reset for Centrify.

18 Make sure that all of these options are checked:

Option Set it to What it does

Enable account unlock Checked If a user is locked in Centrify, there will be an Unlock User button provided during password reset. Clicking the Unlock User button only unlocks the user in the Centrify app. For all users, password reset automatically resets their ServiceNow account.

Auto-generate password Checked Enables automatically-generated passwords.

User must reset password Checked After password reset, the Require password change at next login status is checked for this user in Centrify.

Display password Checked Displays the new password on the screen.

Email password Checked Sends the password to the user’s primary email address.


Enable account unlock Checked If a user is locked in Centrify, there will be an Unlock User button provided during password reset. Clicking the Unlock User button only unlocks the user in the Centrify app. For all users, password reset automatically resets their ServiceNow account.

Auto-generate password Checked Enables automatically-generated passwords.

User must reset password Checked After password reset, the Require password change at next login status is checked for this user in Centrify.

• 30

19 Make sure that Public access is not checked.

20 (Optional) To see which verification is used, scroll down to the Verifications list in the Advanced section. You can change the verifications used if desired.

21 Click Update.

22 Log out of your ServiceNow account.

Centrify App Access integration in ServiceNowNote If you’re trying to configure the current version of ServiceNow (Jakarta), you’re in the right place. If you’re trying to configure one of the previous versions of ServiceNow (Fuji, Geneva, Helsinki, or Istanbul), see the Centrify configuration guide for ServiceNow (previous versions). If you don’t know what version you have, you can find it on the Stats > Stats page in your ServiceNow instance.

Centrify App Access enables automatic access and provisioning of applications selected from the ServiceNow Service Catalog. The following is an overview of the steps required to configure Centrify App Access to integrate the Centrify Identity Services with ServiceNow.

Note If you have not completed the configuration steps in Configuring ServiceNow for SSO, Adding and Configuring ServiceNow in Admin Portal, and ServiceNow provisioning, any user who will request or approve application access must have a user in the Centrify Identity Services where the username attribute matches the ServiceNow User ID attribute.

To configure Centrify App Access to integrate the Centrify Identity Service with ServiceNow (an overview)

1 Install and configure the ServiceNow app (recommended).

Install the ServiceNow web application in Admin Portal. Configure the ServiceNow app in Admin Portal and on your registered and verified ServiceNow domain. See ServiceNow for more information.

2 Download and configure the Centrify App Access application from the ServiceNow Store.

See Configuring the Centrify App Access application in ServiceNow for more information.

3 In Admin Portal, create role mappings for requesters and approvers (recommended).

Display password Checked Displays the new password on the screen.

Email password Checked Sends the password to the user’s primary email address.



See Create role mappings for requesters and approvers for more information.

See the following sections for more information about configuring the Centrify App Access integration. Configuring the Centrify App Access application in ServiceNow

Create role mappings for requesters and approvers

Reviewing the user experience

Troubleshooting

Configuring the Centrify App Access application in ServiceNow

You must install and configure the Centrify App Access application in your ServiceNow instance to enable access and provision users to applications requested from the ServiceNow Catalog.

This procedure requires a ServiceNow account with administrator privileges.

To download and configure the Centrify App Access application

1 Get Centrify App Access from the ServiceNow Store located at https://store.servicenow.com.

2 Log in to ServiceNow with an admin account and find Centrify App Access under ServiceNow > System Applications > Applications > Downloads, then click Install.

ServiceNow installs Centrify App Access.

3 Go to ServiceNow > Centrify App Access > Admin > Properties, then configure the Centrify Tenant Properties.

Property Description

Centrify Cloud Tenant URL The URL for your company’s Centrify tenant. To ensure the Centrify App Access application is configured correctly, do not use a vanity URL.

Centrify Directory Service directory service Account The User Name for a user account with at least Application and Role Management rights.

Centrify Directory Service Account Password The password for the user account with Application and Role Management rights.

• 32

https://store.servicenow.com




4 (Optional) Go to ServiceNow > Centrify App Access > Admin > Properties, then configure the Centrify App Access Default Properties.

5 Set up the sync schedule for syncing applications from the Centrify Identity Services tenant.

a Go to ServiceNow > Centrify App Access > Admin > Customize API Sync.

b Check the Active check box.

c Use the drop-down menus and Time fields to set the sync interval.

d Either click Update and wait for the scheduled interval, or click Execute Now to sync immediately.

6 Set the Approval Group for each application in ServiceNow > Centrify App Access > Applications, then click the application that you want to set the approval group for.

Note If you prefer, you can set a default approval group for all applications rather than for each application. See Step 4 for more information.

7 (Optional) Mark any users that you want automatically provisioned without going through the approval process as Pre Approved.

a Go to ServiceNow > User Administration > Users, then click the user that you want to mark as Pre Approved.

b Scroll down to the Centrify App Access area and check the Pre Approved check box.

Property Description

Default Approval Group Sets the Default Approval Group for all applications instead of per application. This field requires the group GUID.

To retrieve the group GUID, go to ServiceNow > System Security > Users and Groups > Groups, then right click the desired group and select copy sys_id. You can then paste the value into the Default Approval Group field.

Deactivate Applications that haven’t synced in this many days

This field requires an integer representing the desired number of days. Centrify recommends keeping the default value of 1.

Deactivate Roles that haven’t synced in this many days


Remove Application Role relationships that haven’t synced in this many days



Create role mappings for requesters and approvers

To simplify the process of your users requesting and approving applications through the ServiceNow Catalog, Centrify recommends creating the following two role mappings. a role for users end users, mapped to the Destination Role user.

a role for approvers, mapped to two Destination Roles (itil and x_cenr3_app_access.approver).

Note The Destination Role itil gives approvers the ability to process or fulfill requests through the ServiceNow Catalog. The Destination Role x_cenr3_app_access.approver limits approvers scope to the functionality provided under Centrify App Access.

For example:

See Provisioning users for ServiceNow based on roles for more information about provisioning users for ServiceNow using Role Mappings.

Reviewing the user experience

After you configure Centrify App Access to integrate the Centrify Identity Service with ServiceNow, Centrify requesters and approvers have the following user experience.

Troubleshooting

Centrify App Access provides detailed logs for errors you might encounter providing access and provisioning users to applications selected through the ServiceNow Catalog.

Name Destination Role

ServiceNow Approvers Role itil, x_cenr3_app_access.approver

ServiceNow End Users Role user

User Experience

Requester 1 Access ServiceNow through the Centrify user portal.

2 Select Service Catalog > Software > Centrify, then click Centrify App Access.

3 Create the request for the application you need, then click Order Now.

ServiceNow generates a request number that you can use to track the request.4 Once the request is approved, the requester is provisioned and given access to the requested

application.

The application automatically appears in the user’s Centrify user portal.

Approver 1 Access ServiceNow through the Centrify user portal.

2 Select ServiceNow > Centrify App Access., then click My Group Approvals.

3 Assign the task to yourself if you want it to appear in ServiceNow > Centrify App Access. > My Approvals.

4 Close the task by putting the user into a role (you can choose from roles with access to the application), setting Approve Application Access? to Yes, and then clicking Close Task.

• 34

Go to ServiceNow > Centrify App Access > Logs to find the logs.

For more information about ServiceNowHere are some useful links where you can learn more about ServiceNow single sign-on:

http://wiki.servicenow.com/?title=External_Authentication_%28Single_Sign-On_-_SSO%29

http://wiki.servicenow.com/index.php?title=Integration_Overview








servicenow - centrify · 13 servicenow note if you’re trying to co nfigure the current version of...

Documents