Reverse Proxy for ServiceNow with Pingfed IdP

Reverse Proxy for ServiceNow with Pingfed IdP

This topic provides instructions to configure Netskope Reverse Proxy for ServiceNow with Pingfed IdP.

Recommendation

It is recommended to tether ServiceNow with Pingfed without Netskope SAML Proxy before proceeding with configuration.

Netskope SAML Reverse Proxy configuration

1. Login to Netskope Tenant webUI and go to Settings > Security Cloud Platform -> Reverse Proxy -> SAML.

2. Add an account by selecting the ServiceNow from the APPLICATION option.

   

   • ACS URL – Service Now ACS URL

   • IDP SSO URL – Pingfed SSO URL

   • IDP Certificate – Pingfed Certificate

     Copy SAML Proxy ACS URL, IdP URL and the Certificate values from Netskope settings to configure ServiceNow Identity Provider / Pingfed SP connection settings as mentioned in the SeviceNow configuration section in this topic.

     

3. Enable Emergency Bypass mode for the SSO account.

4. Enable Multiple SAML entity ID support feature for SAML Reverse Proxy by using the following API.

   curl -X POST http://dpmgmtsvc:80/saml/config/template/<tenant_id> -H 'content-type:application/json' -d '{"multiEntityId":{<app_id_1>: ["https://saml-<tenant_name>/<org_hash>/<acs_id_1>", "https://saml-<tenant_name>/<org_hash>/<acs_id_2>"]]}}'

   Example: curl -X POST http://dpmgmtsvc:80/saml/config/template/1042 -H 'content-type:application/json' -d '{"multiEntityId": "2115": ["https://saml-example.test.local/7Vw4TjT9VWcwvgJM6Q6j/31", "https://saml-example.test.local/7Vw4TjT9VWcwvgJM6Q6j/33"]}}'

   Acs_id for ServiceNow app is 2115.

Pingfed IdP Configuration

1. Login to Pingfed IdP with admin credentials

2. Click on SP Connections. Create a new SP connection with SAML 2.0 protocol as shown in the below screenshot.

   

   

   

   

3. Export Pingfed SP connection Metadata.

   

ServiceNow Configuration

1. Create a dev ServiceNow tenant from the following the URL https://developer.servicenow.com

2. One of the pre-requisite requirements is to install some plugins into ServiceNow.

   

3. Setup a new Identity Provider by navigating to Multi-Provider SSO > Identity Providers.

   • Click New, select SAML and import your Pingfed metadata using the XML option.

   • Configure the below settings with the mentioned values.

     • Identity Provider URL = Netskope SAML proxy Multi entity URL.

     • Identity Provider’s AuthnRequest = Netskope SAML Proxy IdP URL.

     • Audience URI = Netskope SAML proxy Multi entity URL.

     • Uncheck Auto Provisioning User and Update User Record Upon Each Login from the User Provisioning tab.

     • In the Advanced tab, configure the following:

       • Protocol Binding for the IDP’s AuthnRequest = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

       • Protocol Binding for the IDP’s SingleLogoutRequest = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

       • Protocol Binding for the IDP’s SingleLogoutRequest = urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST

       • AuthnContextClassRef Method = urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified

     

     

     

     

     • Import Netskope SAML certificate under X509 Certificate section.

     • Save the configuration.

4. Enable SP initiated SAML for a specific user or all users in the organization.

   1. Go to Multi-Provider SSO > Identity Providers.

   2. Right-click an identity provider record and select Copy sys_id.

   3. Save the sys_id value. You’ll need to use this value for the SP-initiated flow.

   4. If want to enable SP-Initiated SAML on a user by user basis instead of for all users within a given company, do the following:

      • Go to the Users page from the Filter navigator at the top left of the page.

      • Select any given user to go to the user details page – the specific user you choose doesn’t matter.

      • From the menu icon, select Configure, then Form Design.

      • From the Fields sidebar on the left, select and drag the SSO Source field to the User [sys_user] table in the middle of the page as the last attribute in the list.

      • Click Save.

      • To enable SP-Initiated SAML for a specific user, go back to the Users page from the Filter Navigator.

      • Select your specific user to navigate to the user details page.

      • In the SSO Source field, type sso: and then paste the sys_id from the Identity Provider you created with the Multi-Provider SSO plugin. Choose Update to finish.

   5. If you want to enable SP-Initiated SAML for all users within a given company instead of on a user-by-user basis, do the following:

      • Go to the My Company page from the Filter Navigator at the top left of the page.

      • From the menu icon, select Configure, then Form Design for the Company.

      • From the Fields sidebar on the left, select and drag the SSO Source field to the Company [core_company] table in the middle of the page as the last attribute in the list.

      • Click Save.

      • To apply SP-Initiated SAML to all users in a specific company, go back to the My Company page from the Filter Navigator.

      • In the SSO Source field, type sso:. Paste the sys_id from the Identity Provider you created with the Multi-Provider SSO plugin. Choose Update to finish.

      Reference: https://saml-doc.okta.com/SAML_Docs/How-to-Configure-SAML-2.0-for-ServiceNow.html#:~:text=To%20enable%20SP%2DInitiated%20SAML%20for%20a%20specific%20user%2C%20go,the%20Multi%2DProvider%20SSO%20plugin

5. Test the connection. Once the connection is successful, activate it.

6. Disable Emergency Bypass mode for the SSO account from the Netskope WebUI.

ServiceNow Troubleshooting

1. If the Identity provider connection could not be activated:

   • Create a new System Property (navigator search for sys_properties.list) named: glide.authenticate.multisso.test.connection.mandatory with Type true|false and Value of False.

   • Re-test your IDP connection

   • Click “Activate” and “Update and Exit”

2. If we need to check logs, location of logs on ServiceNow instance.