App Portal / App Broker for ServiceNow 2016
SAML (Security Assertion Markup Language) 2.0 is an XML-based, open-standard data format for enabling web browser single sign-on.
To configure SAML 2.0 authentication for your App Portal site, perform the following steps:
To configure SAML 2.0 authentication:
| 1. | Logon to your identity provider platform’s web site and open the page containing your account's SAML settings. The following are the SAML Settings in Okta: |
| 2. | In your identity provider platform, provide this URL for redirecting to App Portal after sign in: |
http://YOURAPPPORTALSERVER/esd/SamlSignOn.aspx
Note • This URL would be entered in the Single Sign On URL, Recipient URL, and Destination URL fields in the Okta sample settings, shown above.
| 3. | In your identity provider platform, make sure that the Name ID Format is set to Email Address. After you do this, whenever SAML 2.0 authentication occurs, your identity provider platform will send the email address that is registered with their system into App Portal as part of SAML association. |
| 4. | Download an authentication certificate from the identity provider platform. |
| 5. | Launch App Portal and open the Site Management > Settings > Single Sign-On view. |
| 6. | From the Single sign-on type list, select SAML 2.0. The SAML 2.0 settings are listed. |
| 7. | Click Browse next to Identity provider certificate and select the authentication certificate that you obtained from your identity provider platform. |
| 8. | In the Single sign-on URL field, enter the single sign-on URL from your identity provider platform. |
Important • App Portal assumes IdP-initiated single sign-on (identity provider-initiated single sign-on). App Portal does not prompt for login credentials; instead it redirects the user to the specified identity provider, and the identity provider prompts the user to authenticate using their preferred method, such as user name/password, smart card, token, multi-factor authentication, etc.
| 9. | In the Signature node XPath field, the default setting is //ds:Signature. Adjust this signature node XPath as needed, per your identity provider platform. |
| 10. | In the Attribute node XPath field, the default setting is below. Adjust this attribute node XPath as needed, per your identity provider platform. |
/saml2p:Response/saml2:Assertion/saml2:Subject/saml2:NameID
Tip • When configuring the Attribute node XPath field, you may want to consider using a Mozilla Firefox plug-in named SAML Tracer, a tool for viewing SAML messages sent through the browser during single sign-on. You can use the SAML Tracer plug-in to capture the network communications between App Portal and the identity provider when a user is authenticating, identify the SAML packets, and display them in a readable format. You can then look at the XML structure of that SAML data to determine the correct XPath to enter in the Attribute node XPath field.
| 11. | Click Save. |
| 12. | In IIS, open the Authentication view for the ESD site. |
| 13. | Set Anonymous Authentication to Enabled, and set Windows Authentication to Disabled. |
See Also
App Portal / App Broker for ServiceNow 2016 Administration Guide09 August 2016 |
Copyright Information | Flexera Software |