Applicable Versions: Fuji, Geneva, Helsinki, Istanbul (June 2017) and Jakarta (August 2017)
ServiceNow is a very popular IT Service Management solution that includes capabilities like workflow and approvals, asset management, discovery, orchestration and more. In the previous article, I outlined the steps to set federation with ServiceNow using Multi-Provider SSO. In subsequent posts we'll discuss how to add ServiceNow workflow and approvals to apps and shared accounts using the Centrify ServiceNow store apps.
We'll continue to use the Plan-Do (Implement)-Check (Test)-Adjust (Enhance) methodology:
What you'll need
- A Centrify Identity Service Instance with some published apps
- A ServiceNow Instance that allows you to install apps from the ServiceNow app store
- Administrative accounts on both systems
During planning, discuss with your Infrastructure, Operations and Security teams about these topics:
- What are the source directories for SN users?
It's possible that there will be AD, LDAP or other directories involved, based on user populations this adds complexity.
- Will role mapping be used?
This feature allows the provisioning of the user's ServiceNow role in addition to account creation
- Are the target Roles created in ServiceNow?
ServiceNow has several canned groups, however it's possible that your organization needs custom roles for different entitlements.
- Are the source groups created in the corresponding source Directories?
Group management simplifies the provisioning on each target Directory. For example, adding a user to an AD group can simplify the provisioning process.
- Are the Centrify Roles created based on the information gathered?
- Is the UserID field correctly identified for mapping? Will any transformations be needed?
In some implementations it's preferred to use the email address as the unique identifier.
- What will be the provisioning behavior? Overwrite existing entries or leave as is?
Sometimes this may or may not be desirable.
- What will be the deprovisioning behavior? Disable or Delete the user?
In instances in which important data is left behind on systems, it's better to disable the account instead of deleting it.
- What will be the behavior when users are removed from a ServiceNow group?
Users may change functions, therefore this behavior has to be defined beforehand.
- Will all the users have the attributes required for provisioning (e.g. E-mail)?
- Download and Install the Identity Service App from the ServiceNow App Store
- Update the State field in the ServiceNow User Role Table
- Create a ServiceNow User and Assign it a special role
- Configure Provisioning on the Centrify ServiceNow App
Download and Install the Identity Service App from the ServiceNow App Store
- Go to the ServiceNow app store and search for Centrify.
- Click the Centrify Identity Service app.
- Click Get to make the Centrify Identity Service app available for your ServiceNow instances.
- Go to the ServiceNow instance, select System Applications > Applications > Downloads to locate the app then click Install to install it.
Update the User Role table
- In the left pane, search for Tables and select System Definition > Tables.
- In the Tables lab, make sure the Go to picker says name, and search for sys_user_has_role.
- In the User Role table, click the State field, scroll down to Choices and press New.
- Add a new field with Label Inactive and Value inactive, then press Update.
Create a ServiceNow User and Assign Role
You need to create a service account that will be assigned one of the roles created by the Identity Service app. This role contains all the entitlements needed for provisioining.
- In the left pane, go to System Security > Users and Groups > Users and press New. Then set:
Password: type a complex password
Other fields: are optional
Press Submit when complete and make sure you write down the credential information.
- Click the user you just created in the list of users.
- Scroll down and click Edit in the Roles section.
- Search for x_cenr3_centrify_u.centrify_admin and select it.
- Click > to add it to the Roles list.
- Click Save.
Configure Provisioning on the Centrify ServiceNow App
- Log in to Identity Service with a user with at least the Application Management right
- Go to Apps > ServiceNow Web - SAML + Provisioning > Provisioning
- Check the "Enable provisioning for this application" box. Ideally you'll start with Preview Mode first
- Configure the connection details:
Account Name - type the ServiceNow instance ID
Admin Name - type the name of the previously created SN user
Admin Password - type the password for the previously created user
Other Provisioning Options
The following configuration items respond to the planning section. For example, in my test environment
I've decided to have 3 distinct Identity Service roles that mapped to different ServiceNow roles:
I chose not to delete users when they are deprovisioned (just disable them) and to do sync overwrites:
Finally, for more complex scenarios, there is the possibility to use custom scripting for transformations and other options:
Centrify Identity Service provides several options to verify that provisioning will work as expected. In the previous section you saw the Preview Mode option. Using the Admin Portal > Settings > Users > Outbound Provisioning gives you the option trigger a sync on all or an individual app. Once you trigger the sync, you have the option to see the activity.
In my example, I added an AD User (stewie.griffin) to ServiceNow Admins role, and these are the results.
Once you have determined that all the provisioning actions are working as expected, you can enable live mode and verify the results in the ServiceNow side.
There are different ways to enhance this implementation with additional controls like Multi-factor authentication, controls to have ServiceNow only accessible from inside the corporate network, geo-fencing, etc. Explore Identity Service's policy features.
There are multiple resources available in the documentation and tech blogs: