If 2011 was the year of ADFS SAML 2.0 implementations in ServiceNow, then 2012 looks like it will be the year of Kerberos Authentication with ADFS and ServiceNow.
Over the past few weeks I have had a number of customers contact me regarding better support of their Kerberos authentication when they are using ADFS and SAML to do Single Sign-on with ServiceNow.
Thanks to some help from Microsoft, and a lot of coordination from a client in Switzerland, we have been able to provide better support for users who are logging into ServiceNow via Kerberos authentication with Windows.
The idea behind Kerberos authentication is that when you authenticate to the Windows desktop, you are establishing a SAML session. If someone browses to ServiceNow and they don’t have an active ServiceNow session, the SAML should detect that they have a SAML session alive through Kerberos and automatically authenticate the user into ServiceNow without having to type ADFS credentials.
However, with the current setup, regardless of the user having a SAML session via Kerberos, ServiceNow would redirect to the IdP and the IdP would display the ADFS login screen. It wasn’t detecting the Kerberos session.
The reason behind this situation is that the ServiceNow SAML plugin supports PasswordProtectedTransport for it’s authentication context. This is also known as “forms-based authentication”. This tells the IdP that the user should be presented a form by the IdP where they should authenticate. However, with Kerberos, the SAML session is already active through an established Windows login, so the user shouldn’t have to be presented a form for authentication.
The bad news here is that ServiceNow SAML 2.0 does not support Windows authentication out of the box. The good news, however, is that it is an easy customization.
The Theory
SAML has an attribute that tells the IdP what type of authentication we are expecting them to perform in order to qualify a user. This attribute is the AuthnContextClassRef. This element takes a URN string that identifies that method.
As mentioned previously, the PasswordProtectedTransport method indicates that we require form-based authentication. The string used to identify that is:
urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport
The Windows authentication methodology is specified by using this string:
urn:federation:authentication:windows
This tells the ADFS IdP that we are expecting that they try their Windows login in order to validate the authentication of a given user.
The Solution
New Update: If you download the update set that provides Additional SAML 2.0 Configuration Options then you will not need to modify the SAML scripts as outlined below.
In order to enjoy the full benefits of a Kerberos authentication setup with ADFS, perform the following steps:
1) Perform the steps outlined in my blog post: AD FS 2.0 working with ServiceNow SAML 2.0
2) Apply the fix outlined in Fixing SP Initiated Login with ADFS 2.0 and ServiceNow SAML
3) Modify the SAML “Script Object” according to these instructions:
Browse to the SAML application in ServiceNow and click on the “Script Object” module.
In the script that comes up, find the following line:
1 | authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"); |
Comment out that line and add a new line as seen below:
1 2 | //authnContextClassRef.setAuthnContextClassRef("urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"); authnContextClassRef.setAuthnContextClassRef("urn:federation:authentication:windows"); |
Then, save the script.
Disclaimer
As this is not out of the box code for the ServiceNow SAML 2.0 plugin, it has not been thoroughly tested by a large number of users. Please use at your own risk.
Please also understand that by modifying an out-of-the-box script such as this, you will not automatically get future updates applied to this script.
Great work, John!
Can we hope to get this turned into a property?
That is my plan. I should be meeting with the development team soon to give them all of my proposed changes to be more compatible with ADFS and to fix other minor issues. Hopefully we should see this in the the product soon.
John, This is incredible. SN was getting “bad press” internally when ADFS wasn’t working. We’d be wealthy if we got paid by questions about not being able to log in. Now we have seamless login and deep links are working.
The one thing still not working is access to ESS links. Is that because the URLs used in ADFS are specifying the /navpage.do which isn’t used by ess?
@Troy,
In order to get ESS links to work with SAML 2.0 deep linking, you must modify the ESS links to be within the nav_to.do url format:
https://myinstance.service-now.com/nav_to.do?uri=<the_deep_link_relative_path>
For example, say you want to send someone this link:
https://myinstance.service-now.com/catalog_home.do?sysparm_view=catalog_default
For it to work with SAML 2.0, you would need to URL Encode the following portion of the link:
catalog_home.do?sysparm_view=catalog_default
And attach it as the “uri” parameter for the nav_to.do page as seen below:
https://myinstance.service-now.com/nav_to.do?uri=catalog_home.do%3Fsysparm_view%3Dcatalog_default
John, thanks for the response. I believe that Troy is talking about CMS links.
Is there something special about the nav_to.do page that allows this to happen, or is it just a a bit of an update to the the SAML 2 installation exit?
There is a recent community post about CMS and SSO here:
http://community.service-now.com/forum/9617
Tyler Jones’ reply indicates that the root cause is that CMS requires a private UI page in order to use SSO. Since the default CMS pages are public, SSO never gets called.
If you create a new UI page, for example redirector.do, then a URL like this should work for CMS pages:
https://myinstance.service-now.com/redirector.do?uri=catalog_home.do%3Fsysparm_view%3Dcatalog_default
Thanks for your posts John, I’ve been able to get SSO working by following your clear instructions.
One question though, have you figured out a way to have both Kerberos authentication when inside the corporate network and forms based authentication when the user is outside the network?
Thanks and keep up the good work!
Alex
@Alex,
Thanks for the compliment on the blogs. One way you may be able to accomplish what you seek is to not set any AuthnContextClassRef. Instead, just comment out the line rather than specify Kerberos. What this does is it tells the IdP that we don’t care what it uses to authenticate the user. We let it decide. Then the IdP can determine if windows authentication will work or if it needs to display a form.
I don’t know the specifics for that on the IdP, but that is how I would attempt it.
Good luck!
@John,
Nice blog post. Here is some additional information you might want to include to support both form based authentication (for external) and windows integrated authentication (for internal).
http://www.credexo.com/company-overview/our-blogs/servicenow-adfs-do-you-want-to-enable-form-based-external-windows-integrated-logon-internal
Thanks,
Jameel
John,
Where does the above workaround fit with the “SAML 2.0 Update 1” plugin update?
I see that there is a new script include. We were having issues implementing at a client site and needed to update the plugin as the main wiki article shows the new properties, unfortunately the ADFS & SAML 2.0 article appears to be no longer relevant.
Can you shed some light?
Thanks,
Pritam
@Pritam, yes, this is no longer an issue with Update 1. There is now a property that you can disable the suggested mechanism altogether or specify an AuthnContextClass. To do so, I suggest you read:
http://wiki.servicenow.com/index.php?title=SAML_2.0_Web_Browser_SSO_Profile#Step_3d._.28Optional.29_Enable_Providing_an_Authentication_Context_Class
Hi John,
I am trying to create a deep link to a timeline page with ADFS 2.0 authentication, but cannot get it to work. Do you know if deep links has to be in a particular format for timeline pages?
/Tomas
@Tomas: I haven’t really tried it with a timeline link. I know that some special pages in the system do not work well with deep linking occasionally. Feel free to post a sample time-line link and I can see if there is anything glaringly complicated about it.