Loading
Identify Your Users and Manage Access
Table of Contents
Filter by (0)Add
Select Filters

          No results
          No results
          Here are some search tips

          Check the spelling of your keywords.
          Use more general search terms.
          Select fewer filters to broaden your search.

            Search all of Salesforce Help
            Search all of Salesforce Help
            Configure SSO from Salesforce to ServiceNow

            You are here:

            1. Salesforce Help
            2. Docs
            3. Identify Your Users and Manage Access

            Configure SSO from Salesforce to ServiceNow

            Let your users log in to ServiceNow using single sign-on (SSO) from a Salesforce org configured as an identity provider.

            Required Editions

            Available in: Lightning Experience and Salesforce Classic
            Available in: Enterprise, Performance, Unlimited, and Developer Editions

            When you set up ServiceNow as a service provider and create a connected app in Salesforce, users can access ServiceNow using their Salesforce login credentials. ServiceNow supports the SAML 2.0 SSO protocol and federated SSO.

            To use SAML 2.0 for SSO, a ServiceNow administrator must first activate the Integration - Multiple Provider Single Sign-On Installer plug-in. To learn how to activate the plug-in and about other configuration requirements, see the SAML 2.0 setup procedures in the ServiceNow documentation.

            After you activate the plug-in, follow these high-level steps to configure SSO from Salesforce to ServiceNow.

            Set Up Your Salesforce Org as an Identity Provider

            With the My Domain feature, your Salesforce org is enabled as an identity provider. My Domain is required for all orgs. If you don’t like your org’s My Domain name, you can change it.

            The My Domain feature also creates a certificate and key pair. The certificate establishes trust between your Salesforce org and ADP. Optionally, you can use another self-signed certificate or import a CA-signed certificate.

            To provide information about your Salesforce org to ServiceNow, download identity provider metadata.

            1. From Setup, enter Identity Provider in the Quick Find box, and select Identity Provider.
            2. Click Download Metadata. The metadata includes URLs and a self-signed certificate that you use in a later step.

            Configure SAML Settings in ServiceNow

            1. Configure identity provider properties for your Salesforce org in ServiceNow.
              1. Log in to your ServiceNow account as an administrator.
              2. Navigate to the identity provider properties under SAML 2.0 Single Sign-on.
              3. To enable external authentication, select Yes.
                Note
                Note After you enable external authentication, you can log in to ServiceNow only via SSO from Salesforce. If you’re locked out, you can still access ServiceNow through https://ServiceNowdomain.service-now.com/side_door.do, where ServiceNowdomain is the domain of your ServiceNow instance.

                configure identity provider properties in ServiceNow

              4. Examine the Salesforce metadata that you downloaded.
                • Find the SingleSignOnService element that specifies HTTP-Redirect as the binding attribute. The element’s location attribute lists the URL that you use to configure the AuthnRequest service.
                • Find the SingleLogoutService element that specifies HTTP-Redirect as the binding attribute. The element’s location attribute lists the URL that you use to configure the SingleLogoutRequest service.
                • If you plan to copy the self-signed certificate from the metadata, note its location. You copy the certificate into the ServiceNow configuration in a later step.
                Note
                Note The ServiceNow SAML 2.0 integration only supports binding to identity provider (IdP) services by HTTP-Redirect.
              5. Enter the properties.
                • Enter the base URL for the identity provider’s AuthnRequest service. Use the location attribute for the SingleSignOnService metadata element. For example, https://MyDomainName.my.salesforce.com/idp/endpoint/HttpRedirect.
                • Enter the base URL to the identity provider’s SingleLogoutRequest service. Use the location attribute for the SingleLogoutRequest metadata element. For example, https://MyDomainName.my.salesforce.com/secur/logout.jsp.
                • Enter the URL that’s used to redirect the session for the first login or when SSO authentication fails. For example, https://MyDomainName.my.salesforce.com/.
                • Enter the URL where you want to redirect users after they log out. For example, https://MyDomainName.my.salesforce.com/logout.
            2. Configure the service provider properties. In the following example service provider URLs, ServiceNowdomain is the name of your ServiceNow instance.
              1. Enter a URL for the home page of the ServiceNow instance. For example, https://ServiceNowdomain.service-now.com/navpage.do.
              2. Enter the base URL (excluding the login page) of the instance for which the IdP authenticates. For example, https://ServiceNowdomain.service-now.com.
            3. Navigate to certificate configuration under SAML 2.0 settings. In PEM Certificate, paste the contents of your Salesforce identity provider certificate, and click Update.

              paste in your certificate

            4. Navigate to the login script configuration under SAML 2.0 settings. Comment out the sessionIndex section of the script, approximately lines 54–65, and click Update.

              comment out sessionIndex section of script

            Create a Connected App in Salesforce

            1. In Salesforce, create a connected app.
              • In Lightning Experience, from Setup, enter App in the Quick Find box, and select App Manager. Click New Connected App.
              • In Salesforce Classic, from Setup, enter Apps in the Quick Find box, and select Apps. Under Connected Apps, click New.
            2. Configure the connected app Basic Information settings.
              1. Enter a name for the ServiceNow application. Salesforce uses this name to populate the API name.
              2. Enter your email address in case Salesforce needs to contact you or your support team.
              3. Optionally, upload or specify a logo and icon to represent your ServiceNow application in the Salesforce App Launcher.
            3. Configure the connected app Web App Settings.
              1. Select Enable SAML.
              2. For Entity Id, enter the URL for your ServiceNow domain. For example, https://ServiceNowdomain.service-now.com.
              3. For ACS URL, enter the URL for your ServiceNow domain. For example, https://ServiceNowdomain.service-now.com.
              4. For Subject Type, select Username.
              5. For Name ID Format, select urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress.
              6. For Issuer, keep the default value, which is your My Domain login URL.
              7. Save the settings.
            4. Configure profiles and permission sets for the connected app.
              1. From Setup, enter Apps in the Quick Find box.
                • If you’re using Lightning Experience, select Manage Connected Apps.
                • If you’re using Salesforce Classic, under Manage Apps, select Connected Apps.
              2. Click the name of your connected app for ServiceNow. The connected app detail page appears.
              3. Click Manage Profiles or Manage Permission Sets, and add profiles or permission sets for the users who can access this app.
            5. In Salesforce, enter the Start URL for the connected app.
              1. On the connected app detail page, click Edit Policies.
              2. For Start URL, enter your ServiceNow URL. For example, https://ServiceNowdomain.service-now.com/navpage.do.
              3. Save the settings.

            Test the SSO Configuration

            In Salesforce, from the App Launcher, find and open the ServiceNow app. If you configured the ServiceNow logo and icon for the connected app, the App Launcher displays them.

            If SSO is configured properly, Salesforce creates a session for your application.

            See Also

             
            Loading
            Salesforce Help | Article