Configuring AD FS 2.0 with ServiceNow SAML 2.0 - Part 2

Unknown | 04:54 | 0 comments

 
In first post we have learned about collecting Federation Service Identifier and Export the “Token-Signing” certificate from microsoft's active directory federation server (adfs). In this post we will look at ServiceNow SAML 2.0 Settings

ServiceNow SAML 2.0 Settings:

1. Log into Service-Now with Admin privileges
2. Browse to “SAML 2 Single Sign On” and select Properties from application Navigator section

Note:
If SAML 2 is not listed, you will need to contact Service-Now from Hi portal to have it enabled 



3. The correct settings for this example explain below

Identity Provider properties:

#The Identity Provider URL which will issue the SAML2 security token with user info.
We have to place Identity Provider URL which collected earlier. Please refer article 1
Example: http://domain/adfs/services/trust

#The base URL to the Identity Provider's AuthnRequest service. The AuthnRequest will be posted to this URL as the SAMLRequest parameter

We have to place The base URL to the Identity Provider's
Example: ht/tp://domain/adfs/services/trust/ls

#Sign AuthnRequest.

Leave default

#The base URL to the Identity Provider's SingleLogoutRequest service. The LogoutRequest will be posted to this URL as the SAMLRequest parameter

Based on the URL specified logout request will be redirected
Example:Idp login(https://domain/adfs/ls/idpinitiatedsignon.aspx)
 
#The protocol binding for the Identity Provider's SingleLogoutRequest service. (Value can be either "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" or "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST".)

Leave default

#Sign LogoutRequest. Set this property to true if the Identity Provider's SingleLogoutRequest service requires signed LogoutRequest.

Leave default

#When SAML 2.0 single sign-on fails because the session is not authenticated, or this is the first login, redirect to this URL. This is the base URL where the initial SAML 2.0 AuthnRequest is sent using the SAMLRequest parameter

Leave default

#URL to redirect users after logout, typically back to the portal that enabled the SSO (e.g. http://portal.companya.com/logout)

Leave default
  

Service Provider (Service-Now) properties:

#The URL to the Service-now instance homepage.

This is Servicenow Login URL
Example:https://demo.service-now.com/navpage.do

#The entity identification, or the issuer

Example: https://demo.service-now.com

#The audience uri that accepts SAML2 token. (Normally, it is your instance URI

Example: https://demo.service-now.com

#The User table field to match with the Subject's NameID element in the SAMLResponse

This specifies the field in users table, that will be used to match the subject NameID in SAML assertion from Idp with ServiceNow user table
Example: email

#The NameID policy to use for returning the Subject's NameID in the SAMLResponse. Your SAML identity provider will have to support this by declaring the policy in its metadata. The NameID value is used to match with the specified field in the User table to lookup the user

Leave default 

#Create an AuthnContextClass request in the AuthnRequest statement.
This tells the IdP that ServiceNow requires that they present a specific login mechanism such as a form, Kerberos, etc. If the AuthnRequest doesn't specify an AuthnContextClass, the IdP will choose the most appropriate method.

Check Yes 

#The AuthnContextClassRef method that we will be included in our SAML 2.0 AuthnRequest to the Identity Provider

Leave Default

#The alias of key entry stored in SAML 2.0 SP Keystore used to sign SAML 2 requests.

Leave default

#The password of key entry stored in SAML 2.0 SP Keystore used to sign SAML 2 requests. 

Leave default

#Click SAVE

Certificate Settings: 

1. Select the  “Certificate” page from the application navigation. At the top right corner, 
2. Select the paper clip and attach the PEM certificate we created earlier. 




Sometimes the certificate’s fields such as Issue and Subject do not populate after selecting save and there may be an error on the top of the page. If this is the case, open the saves PEM formatted certificate in notepad and copy and paste the certificate in the “PEM Certificate:” field followed by clicking on “Update”. This page should have all the areas filled out.

------------------------------------------------------------------------------------------------------

In next post, we will discuss about  AD FS Relying Party Configuration and AD FS Relying Party Claim Rules
 
 

Category: , , , , , ,

handsonbook.blogspot.com

0 comments