Last week I worked with Principle Sales Consultant, and all around Oracle Guru, Warren Strange, author of “Strange Brew”. Together we took a couple of hours to set up a SAML 2.0 setup between a ServiceNow instance and and Oracle Identity Federation server.

While, you don’t have to customize either product to get this working, there are a few potential gotchas that we ran into. In order to help make this an easier process for everyone, we decided to write up our experience.

The ServiceNow Side

The first step we took was to configure ServiceNow as the Service Provider in this relationship. In order to do this, we had to do the following:

1) Enable the SAML 2.0 Plugin
You would typically call support, or talk to your account manager to get this activated on your instance.

2) Obtain the OIF Identity Provider Metadata
To obtain the metadata from the OIF server, we browsed to: http://yourserver.com/fed/idp/metadata

3) Configure the SAML 2.0 Properties in ServiceNow

For Label (1) in the above screenshot, we used the “Location” attribute in the IdP Metadata element that looked like:

1
2
3
<SingleSignOnService
    Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
    Location="GET_THIS_VALUE_HERE"/>

For Label (2) in the above screenshot, we used the “Location” attribute in the IdP Metada element that looked like:

1
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="GET_THIS_VALUE_HERE"/>

Change properties labeled (3) and (4) in the screenshot to be the ServiceNow instance URL that you are configuring. They will both need to be the same URL in this configuration. (Some instances have property (3) appended with “/navpage.do”. Do not include that for this configuration).

4) Import the OIF Certificate into ServiceNow

From the Oracle IDP Metadata, look for the X509Certificate under the <md:KeyDescriptor use=”signing”> section.

Copy that string and place it between the —–BEGIN CERTIFICATE—– and —-END CERTIFICATE—- strings in the SAML 2.0 Certificate in your ServiceNow Instance as seen below:

5) Build a ServiceNow SP Metadata document

This is the most complicated part of the process, but rest assured it is not that difficult. ServiceNow does not currently build the domain certificate into their SP metadata that they generate. However, Oracle requires the certificate to be in the metadata. We could not find a way to add the certificate manually. It doesn’t mean it can’t be done on the Oracle side, we just weren’t aware of how to do it. So, the easiest way to move forward is to modify the generated metadata from ServiceNow to include the public certificate PEM in the metadata.

You can get the PEM certificate metadata from your client browser when browsing to your ServiceNow instance. Use your browser’s certificate application to export the “*.service-now.com” certificate to PEM format. You should be fine just using the text we used below. If ServiceNow ever changes the certificate, then you will likely have to use the browser to get it on your own during this configuration.

In your ServiceNow instance, click on the “Metadata” link and copy the metadata to a text editor.

Add the following section to your meta data between the element and the element:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
    <KeyDescriptor use="signing" xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata">
      <ds:KeyInfo xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
        <ds:KeyName>*.service-now.com</ds:KeyName>
        <ds:X509Data xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
          <ds:X509Certificate xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
MIID6TCCAtGgAwIBAgIQaWG5DFrv6VYEv/tPlqZYbDANBgkqhkiG9w0BAQUFADA8
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMVGhhd3RlLCBJbmMuMRYwFAYDVQQDEw1U
aGF3dGUgU1NMIENBMB4XDTExMDcwNDAwMDAwMFoXDTEzMTAwMjIzNTk1OVowgYEx
CzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRIwEAYDVQQHFAlTYW4g
RGllZ28xGDAWBgNVBAoUD1NlcnZpY2Utbm93LmNvbTETMBEGA1UECxQKT3BlcmF0
aW9uczEaMBgGA1UEAxQRKi5zZXJ2aWNlLW5vdy5jb20wggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDACla2WcmR3wo3wxJZw/LJJJ9T5hMHmtCD+7Fgnfqy
+cnTeJ0QK7TbjVkkIR6VoDqurZ/vmul0d8RlqaAhdvErEf7zHd5Iv55IIpZVBmr0
iZ7nC0nHi8Zpu+GNxBptAQSmTldB/aiImb8VHItQTcq3qQM+mBGi+WqR31cPugDF
I2+03f+V5xob0nkE3y00I9dqCpjzrRNrIIZUMJGy4pkpXZDzNWyjPN/Bg7FIRjyo
XyLYHMI1ChOIkzq7yFrEgsI0qOo7j5jYX7DZOIAmX2TTvatYCoWqm1C3QrwRHUvI
2bSLdS+iEQp/fkue336btB1N8+VP5Q/Ri9KvHdJCiN1LAgMBAAGjgaAwgZ0wDAYD
VR0TAQH/BAIwADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vc3ZyLW92LWNybC50
aGF3dGUuY29tL1RoYXd0ZU9WLmNybDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB
BQUHAwIwMgYIKwYBBQUHAQEEJjAkMCIGCCsGAQUFBzABhhZodHRwOi8vb2NzcC50
aGF3dGUuY29tMA0GCSqGSIb3DQEBBQUAA4IBAQB9zifSRfQLsQIbFcfrBg9E1R0o
Nx5sco6WHQ3f8v4RrGO4ZAMGnqDlsAjEG88LzQfeVkqcAmsTWxCyCHW0iGWvUbfN
cAHvLdr9VlLmUnz3wg69VgnW+fwppPAyD1L1ZEafESw5eoivkjcQ5DIedjjKwYiI
FjkLngEOORkBhKmyGLlV7nXWG0VmJkDt5xHH5i3rVq1G8sEV743kSLtK/Dugn7Hf
HSYbiyDpHv8EJmFBYtFFYIPUyKOPowaTu2zj9qJz83X5oLulBd6eLZfaAgsjZ/Rb
1MTfRzgI2mur/IiTx9KL7Ymg+NJm7y7/wb1Fy438OwBANG6VrJUJqjxyYR/a
          </ds:X509Certificate>
        </ds:X509Data>
      </ds:KeyInfo>
    </KeyDescriptor>

Your resulting metadata document would look something like this:

Save the meta data as a file and use it in one of the following steps for the OIF Server below.

Oracle Identity Federation Configuration Steps

1) Add the ServiceNow SP Metadata into OIF

Navigate to -> Administration -> Federation

Click on the “+ Add” button

Load the meta data file that you created and saved from ServiceNow service provider instance.

This will create Relying Party Provider for OIF.

2) Configure the new Relying Party Record in OIF

Select the newly created provider and click on the “Edit” button to manually edit the provider settings:

On the “Oracle Identity Federation Settings Tab” make sure you have the following settings:

Under “Attribute Mappings and Filters” check “Email Address” and “Transient One Time Identifier”

Under “Assertion Settings” enable “Send Signed Assertion”

Under “Protocol Settings” enable:
“Include Signing Certificate in XML Signatures”

Under “Messages to Send/Require Signed” enable “Send Signed” for Request – HTTP Redirect

Testing the Integration

For this setup, we used email address as the token that the IdP would share with ServiceNow for the identity once successful authentication takes place. In order for this scenario to work, you must have a user created in the ServiceNow users list that has an email address that is the same as the user in OIF that you will be testing with.

To initiate SSO go to your service-now domain. It it configured to use SP initiated SSO. You should see that you are re-directed to OIF for authentication. Once authenticated you will be redirected back again to Service-Now were you will be logged in.

Credits

Many thanks to Warren Strange for reaching out to me to set up this configuration. Also thanks to the engineers on the Oracle side for answering our questions. Finally, many thanks to ServiceNow for provisioning a demo instance for us to work with to prove out SAML 2.0 functionality between OIF and ServiceNow.