Acceptto MFA for ServiceNow®

Introduction

Multi-factor authentication (MFA) is an extra layer of security used when logging into websites or apps in which individuals are authenticated through more than one required security and validation procedure that only you know or have access to.

ServiceNow is a company that provides service management software as a service. It specializes in IT services management (ITSM), IT operations management (ITOM) and IT business management (ITBM). Acceptto MFA for ServiceNow® enables strong authentication and secure access via SAML to protect your user accounts and your data without exchanging usernames and passwords.

Pre-requisites
  1. An Acceptto Appliance connected to your user directory (for example Microsoft Active Directory).
  2. The user population that is going to be authenticated via SAML must be enrolled in the It’sMeTM Application.
  3. A user with administrative privileges for the Acceptto Appliance.
  4. A user with administrative privileges for the ServiceNow instance.
    1. Ensure that you have a user account that has admin role before enabling SAML. To configure a user as an admin, login to your ServiceNow instance and select System Security, Users.
    2. Select a specific user and at the bottom section of the page, under Roles select edit.
    3. In the Collection field type "admin", select the right arrow > , and then Save.
    4. To verify that your user is an admin, please select in the right upper corner of the screen the control Impersonate User and select the user you have promoted to admin.
    5. You should be able to access privileged operations such as System Security.
    6. If you enable SAML and do not have a user account enabled as admin see the instructions in the section Configure ServiceNow as a Service Provider (SP).
Acceptto SAML Configuration as Identity Provider (IdP)
  1. Login to the Acceptto Appliance Admin portal with an administrative account and select “APPLICATIONS”.
  2. Create a new application by selecting the Create New Application button.
  3. In the Add Application dialog, enter the following values (Advanced Options button allows additional optional configuration):

  4. App Name:The application name to be displayed in the admin panel and application portal. For example: ServiceNow instance

    Issuer or EntityID: The Issuer/EntityID of the SAML application. For example, https://my-servicenow-instance.service-now.com

    Sign in URL: The link used by your users to access the ServiceNow instance. You can leave this field blank.

    Metadata URL: The URL containing metadata about your ServiceNow instance. Such as https://my-servicenow-instance.service-now.com/metadata

    Response hosts: A comma delimited list of your ServiceNow instances.

    Auth Attribute: The format used for your users, this case Email.

    SSO URL (optional): Your ServiceNow instance URL, such as https://my-servicenow-instance.service-now.com

  5. Click Save to create the Application.
  6. Select the Show ID Provider Data and copy the information shown on this page.
Configure ServiceNow as a Service Provider (SP)
  1. Login to your ServiceNow instance and on the upper left section of the page search and select Plugins.
  2. Search for the plugin Integration - Multiple Provider Single Sign-On Installer and then select it.
  3. Click Activate/Upgrade under Relative Links.
  4. Go back to the left upper section and search and select Identity Providers.
  5. Select New, select SAML. A pop-up dialog will appear, configure it to use the URL.
  6. https://your-acceptto-instance.acceptto.com/saml/metadata

    Then click "import"

  7. This will pre-populate some of the fields required to configure the SAML Identity Provider.
  8. The Identity Provider record page will be shown, select the Advanced in the bottom section of the page and fill in any fields that may be missing information:

  9. Name: A description of the Identity Provider (e.g., Acceptto)

    Identity Provider URL: Your Acceptto instance e.g., https://your-acceptto-instance.acceptto.com

    Identity Provider AuthnRequest: Your Acceptto instance login URL e.g., https://your-acceptto-instance.acceptto.com/saml/auth

    ServiceNow Homepage: Your ServiceNow instance homepage e.g., https://your-servicenow-instance.service-now.com/navpage.do

    Entity ID / Issuer: Your ServiceNow instance e.g., https://your-servicenow-instance.service-now.com

    Audience URI: The target audience of the SAML response, in essence your instance e.g., https://your-servicenow-instance.service-now.com

    NameID Policy: The subject or name identifier inside the SAML response to an authentication request, in this case the user’s email urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

  10. In the Advanced tab ensure that the following fields are completed:

  11. User Field: The user identifier in this specific case email.

    Protocol Binding for the IDP’s SingleLogoutRequest: The method by which the SP connects to the IdP for Logout requests, in this specific case, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

  12. The configuration should be similar to the image below:
  13. Once the SAML configuration is finished, import the certificate you obtained while configuring the IdP by selecting New under the X.509 Certificate tab and fill in the following fields.

  14. PEM Certificate: Paste the string identified as x.509 Certificate you obtained while configuring the IdP.

    Name: An identifier of the Certificate for e.g. Acceptto IdP Certificate.

  15. The information on the page should be similar to the image below, save the certificate by selecting Submit.
  16. Before you can activate the newly configured IdP, select Test Connection on the middle section of the page. A new webpage should pop-up with the Acceptto IdP portal.
  17. Once you login successfully then a page will appear with the test results. It is safe to ignore the error shown for the SSO Logout Test Results.
  18. Select Activate to enable the IdP.
  19. Go back to the search box on the upper left section of the page and type Multi-Provider SSO, select Properties below the administration, and ensure that the following controls are set:

  20. Enable multiple provider SSO: Yes

    The field on the user table that identifies a user accessing the "User identification" login page. By default, it uses the 'user_name' field: email

    Enable debug logging for multiple provider SSO integration: Yes (optional)

Test your setup
  1. Go to your ServiceNow instance. You will be redirected to Acceptto SAML page.
  2. After successful authentication, you’ll see the Acceptto MFA options and need to select your desired method and pass the verification stage on your It’sMe mobile app.
  3. You are now authenticated with Acceptto SSO-MFA and will be redirected to your ServiceNow portal.
  4. If anything does not work as expected in steps 1 to 3, you need to login with a account (created in the pre-requisites section of this document) to your instance by using the following url:
  5. https://your-servicenow-instance.service-now.com/login.do

    And using your local credentials, this will allow you to bypass SAML for accounts such as the admin user.

Support

If you require assistance, please email us at support@acceptto.com

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute endorsement by the Acceptto Corporation.

ServiceNow is registered or trademarks of ServiceNow, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.