Multi-Factor Authentication (MFA) is an extra layer of security used when logging into websites or apps. Individuals are authenticated through more than one required security and validation procedure that only you know or have access to.
ServiceNow® is a company that provides service management software as a service. It specializes in IT services management (ITSM), IT operations management (ITOM), and IT business management (ITBM). Acceptto™ MFA for ServiceNow enables strong authentication and secure access via SAML to protect your user accounts and your data without exchanging usernames and passwords.
An Acceptto Appliance connected to your user directory (for example Microsoft™ 'Active Directory™').
The user population that is going to be authenticated via SAML must be enrolled in the It’sMe™ Application.
A user with administrative privileges for the Acceptto Appliance.
A user with administrative privileges for the ServiceNow instance.
- Ensure that you have a user account that has admin role before enabling SAML. To configure a user as an admin, login to your ServiceNow instance and select System Security, Users.
- Select a specific user and at the bottom section of the page, under Roles select edit.
- In the Collection field type "admin," select the right arrow, and Save.
- To verify that your user is an admin, please select in the right upper corner of the screen the control Impersonate User and select the user you have promoted to admin.
- You should be able to access privileged operations such as System Security.
- If you enable SAML and do not have a user account enabled as admin see the instructions in the section Configure ServiceNow as a Service Provider (SP).
Acceptto SAML Configuration as Identity Provider (IdP)
Login to the Acceptto Appliance Admin portal with an administrative account and select “APPLICATIONS.”
Create a new application by selecting the Create New Application button.
In the Add Application dialog, enter the following values (Advanced Options button allows additional optional configuration):
App Name: The application name displayed in the admin panel and application portal. For example, ServiceNow instance
Issuer or EntityID: The Issuer/EntityID of the SAML application. For example, https://my-servicenow-instance.service-now.com
Sign in URL: The link used by your users to access the ServiceNow instance. You can leave this field blank.
Metadata URL: The URL containing metadata about your ServiceNow instance. Such as https://my-servicenow-instance.service-now.com/metadata
Response hosts: A comma-delimited list of your ServiceNow instances.
Auth Attribute: The format that is used for your users, in this case, email.
SSO URL (optional): Your ServiceNow instance URL, such as https://my-servicenow-instance.service-now.com
Click Save to create the Application.
Select the Show ID Provider Data and copy the information shown on this page.
Configure ServiceNow as a Service Provider (SP)
- Log in to your ServiceNow instance and on the upper left section of the page search and select Plugins.
- Search for the plugin Integration - Multiple Provider Single Sign-On Installer and then select it.
- Click Activate/Upgrade under Relative Links.
- Go back to the left upper section and search and select Identity Providers.
- Select New, select SAML. A pop-up dialog appears, configure it to use the URL.
- Click "import."
This pre-populates some of the fields required to configure the SAML Identity Provider.
The Identity Provider record page is shown, select the Advanced in the bottom section of the page and fill in any fields that may be missing information:
Name: A description of the Identity Provider, e.g., Acceptto
Identity Provider URL: Your Acceptto instance, e.g., https://your-acceptto-instance.acceptto.com
Identity Provider AuthnRequest: Your Acceptto instance login URL, e.g., https://your-acceptto-instance.acceptto.com/saml/auth
ServiceNow Homepage: Your ServiceNow instance homepage, e.g., https://your-servicenow-instance.service-now.com/navpage.do
Entity ID / Issuer: Your ServiceNow instance, e.g., https://your-servicenow-instance.service-now.com
Audience URI: The target audience of the SAML response, in essence, your instance, e.g., https://your-servicenow-instance.service-now.com
NameID Policy: The subject or name identifier inside the SAML response to an authentication request, in this case the user’s email urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress
In the Advanced tab ensure that the following fields are completed:
User Field: The user identifier in this specific case email.
Protocol Binding for the IDP’s SingleLogoutRequest: The method by which the SP connects to the IdP for Logout requests, in this specific case, urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
The configuration should be similar to the image below:
Once the SAML configuration is complete, import the certificate you obtained while configuring the IdP by selecting New under the X.509 Certificate tab and fill in the following fields.
PEM Certificate: Paste the string identified as x.509 Certificate you obtained while configuring the IdP.
Name: An identifier of the certificate, e.g., Acceptto IdP Certificate.
The information on the page should be similar to the image below, save the certificate by selecting Submit.
- Before you can activate the newly configured IdP, select Test Connection on the middle section of the page, a new webpage should pop-up with the Acceptto IdP portal.
- Once you log in successfully, a page appears with the test results. It is safe to ignore the error shown for the SSO Logout Test Results.
Select Activate to enable the IdP.
Go back to the search box on the upper left section of the page and type Multi-Provider SSO, select Properties below the administration, and ensure that the following controls are set:
Enable multiple provider SSO: Yes
The field on the user table that identifies a user accessing the "User identification" login page. By default, it uses the 'user_name' field: email
Enable debug logging for multiple provider SSO integration: Yes (optional)
Test your setup
- Go to your ServiceNow instance. You will be redirected to the Acceptto SAML page.
- After successful authentication, you will see the Acceptto MFA options and need to select your desired method and pass the verification stage on your It’sMe mobile app.
- You are now authenticated with Acceptto SSO-MFA and will be redirected to your ServiceNow portal.
- If anything does not work as expected in steps 1 to 3, you need to log in with an account (created in the pre-requisites section of this document) to your instance by using the following URL:
Using your local credentials, allows you to bypass SAML for accounts such as the admin user.
If you require assistance, please email us at firstname.lastname@example.org
Want to learn more about our MFA solutions? Contact our Professional Services for a Demo today.
All product names, trademarks, and registered trademarks are the property of their respective owners.
All company, product, and service names used in this document are for identification purposes only. The use of these names, trademarks, and brands do not constitute an endorsement by the Acceptto Corporation.
ServiceNow is either registered trademarks or trademarks of ServiceNow and/or one or more of its subsidiaries in the United States and/or other countries.
Microsoft and 'Active Directory' are either registered trademarks or trademarks of Microsoft and/or one or more of its subsidiaries in the United States and/or other countries.