Acceptto MFA for ServiceNow®

Introduction

Multi factor authentication (MFA) is an extra layer of security used when logging into websites or apps in which individuals are authenticated through more than one required security and validation procedure that only you know or have access to. Acceptto MFA for ServiceNow® enables strong authentication and secure access via SAML to protect your user accounts and your data without exchanging usernames and passwords.

Pre-requisites
  1. Sign up for an Acceptto account here, download the It’sMeTM mobile app and sign in with your account.
  2. An Acceptto Appliance configured to connect to your user directory.
  3. An Acceptto Organization account, with access to an administrative user.
  4. Ensure that you have a user account that has the admin role before enabling SAML. To configure a user as an admin, login to your ServiceNow instance, in the upper left corner search bar, search for “users” which will be under System Security, Users.
  5. Select a specific user and at the bottom section of the page, under Roles select edit.
  6. In the Collection field type "admin", select the right arrow > , and then Save.
  7. To verify that your user is an admin, please select in the right upper corner of the screen the control Impersonate User and select the user you have promoted to admin.
  8. You should be able to access privileged operations such as System Security.

  9. You need to enable the SAML plugin in your ServiceNow instance.
    1. Please note that the SAML module MUST be enabled in the ServiceNow application, please check to make sure it is.
    2. Go to the System Definitions -> Plugins (search for “plugins”)
    3. In Plugins search for “Integration - Multiple Provider Single Sign-On Installer
    4. Select Activate/Repair, confirm activation and after a few minutes the plugin will be installed on your instance of ServiceNow.
    5. After the installation is complete,click “Close & Reload Form”.
    6. If you enable SAML and you find yourself locked out, see the instructions in the section at the end titled “Test the login to ServiceNow using Acceptto SAML Identity Provider”.
Configure the Acceptto Identity Provider (IdP)
  1. Login to the Acceptto Appliance Admin portal, and select “APPLICATIONS”.
  2. Create a new application by selecting the “New Application button”.
  3. In the Add Application dialog, select Advanced options and enter the ServiceNow configuration values.
  4. For example:

    App Name: ServiceNow instance

    Issuer or EntityID: The Issuer/EntityID of the SAML application for e.g. https://my-servicenow-instance.service-now.com

    Sign in URL: You can leave this field blank.

    Metadata URL: Your instance metada https://my-servicenow-instance.service-now.com/metadata

    Response hosts: A comma delimited list of your ServiceNow instances.

    Auth Attribute: The format used for your users, this case Email.

    SSO url (optional): Your ServiceNow instance https://my-servicenow-instance.service-now.com

  5. Press "Save".
  6. Select the Applications control, New/Edit Applications and copy the values shown in that page.
Configure ServiceNow as a Service Provider (SP)
  1. Login to your ServiceNow instance and on the left upper section of the page search and select Identity Providers.
  2. Select New, select SAML. A pop-up dialog will appear, configure it to use the URL.
  3. https://your-acceptto-instance.acceptto.com/saml/metadata

    Then click "import"

  4. This will pre-populate some of the fields required to configure the SAML Identity Provider.
  5. The Identity Provider record page will be shown, select the Advanced tab in the bottom section of the page and fill in any fields that may be missing information:
  6. Name: A description of the Identity Provider (e.g., Acceptto)

    Identity Provider URL: Your Acceptto instance (e.g., https://your-acceptto-instance.acceptto.com)

    Identity Provider AuthnRequest: Your Acceptto instance login URL (e.g., https://your-acceptto-instance.acceptto.com/saml/auth)

    ServiceNow Homepage: Your ServiceNow instance homepage (e.g., https://your-servicenow-instance.service-now.com/navpage.do)

    Entity ID / Issuer: Your ServiceNow instance (e.g., https://your-servicenow-instance.service-now.com)

    Audience URI: The target audience of the SAML response, in essence your instance (e.g., https://your-servicenow-instance.service-now.com)

    NameID Policy: The subject or name identifier inside the SAML response to an authentication request in this case the user’s email urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress

    Select "Update" when you are done.

  7. In the Advanced tab ensure that the following fields are completed:
  8. User Field: The user identifier in this specific case email.

    Protocol Binding for the IDP’s SingleLogoutRequest: The method by which the SP connects to the IdP for Logout requests in this specific case, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

  9. You will need to click the Set as Auto Redirect IdP (in this image shown as “Unset Auto Redirect IdP) under Related Links, to set the Auto Redirect IdP checkbox. When you go to your ServiceNow Instance to login, you will be auto redirected to the Acceptto IdP page.
  10. Certificate should have been added when importing metadata and you should see it at the bottom of the page.
  11. If not, you can import the certificate you obtained while configuring the IdP by selecting New under the X.509 Certificate tab and fill in the following fields.

    PEM Certificate: Past the string identified as x.509 Certificate you obtained while configuring the IdP.

    Name: An identifier of the Certificate for e.g. Acceptto IdP Certificate.

  12. The information on the page should be similar to the image below, save the certificate by selecting "Submit":
  13. Before you can activate the newly configured IdP, select “Test Connection” on the middle section of the page, a new webpage should pop-up with the Acceptto IdP portal.

  14. Once you login successfully, a page will appear with the test results, it is safe to ignore the error shown for the SSO Logout Test Results.
  15. Select Activate to enable the IdP.
  16. Go back to the search box on the upper left section of the page and type Multi-Provider SSO, select Properties below the administration, and ensure that the following controls are set:
  17. Enable multiple provider SSO: Yes

    The field on the user table that identifies a user accessing the "User identification" login page. By default, it uses the 'user_name' field: email

  18. Optionally you can enable debug logging by selecting Enable debug logging for multiple provider SSO integration.
  19. The configuration should be similar to the image below.
  20. Select the save button
Test the login to ServiceNow using Acceptto SAML Identity Provider
  1. Access your ServiceNow instance, the instance should redirect the user to the Acceptto IdP page.
  2. Login with a valid ServiceNow user in the Acceptto IdP page.
  3. Once MFA is approved, the user is redirected to the ServiceNow instance and the ServiceNow portal is now accessible.
  4. If anything does not work as expected in steps 1 to 3, you need to login with a account (created in the pre-requisites section of this document) to your instance by using the following url:
  5. https://your-servicenow-instance.service-now.com/login.do

    And using your local credentials, this will allow you to bypass SAML for accounts such as the admin user.

Support

If you require assistance, please email us at support@acceptto.com

Sales

Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.

Disclaimer

All product names, trademarks, and registered trademarks are the property of their respective owners.

All company, product and service names used in this document are for identification purposes only. Use of these names, trademarks, and brands does not constitute endorsement by the Acceptto Corporation.

ServiceNow is registered or trademarks of ServiceNow, Inc. and/or one or more of its subsidiaries, and may be registered in the United States Patent and Trademark Office and in other countries.