ADFS as Application Source in ACCESS (Service Now)
This lab will address the scenario in which customers have an on-premise ADFS server. Customer that have federated their application with ADFS can now leverage the authentication methods of WorkspaceONE Access. This requires a simple setup of Claims Provider Trust with WorkspaceONE Access.
In this lab we will use ServiceNow as the Relying Party Trust and WorkspaceONE Access as the Claims Provider Trust.
The order of the LAB
Part 1: Setup a ServiceNow Developer Instance
Part 2: Add ServiceNow as RelyingParty to ADFS
Part 3: Adding Access As Claims Provider in ADFS
Part 4: Adding ADFS As Application Source to WorkspaceOne Access
Sign up for a ServiceNow Tenant
1. Open a browser on your physical or virtual machine and navigate to https://developer.servicenow.com
2. Click on Sign up and enter your details for the Developer Account. Make sure you use your cloudadmin account for e-mail. This is the one you created on Day1 of the labs. (example: [email protected]) Password can be VMware1!. Click Sign Up at the bottom of the page once all fields have been entered.
NOTE: We highly recommend documenting all of the URLs in this lab as well as the credentials in a separate note taking application.
3. Check your e-mail on the login.microsoft.com and click the Verify Email button in the Welcome Email that has come from Service Now. The link will take you to a page click Sign In on that page that says Thank You!
4. Now that you have created an account, you will get automatically signed in to your Developer console. If not, browse manually to the Sign In Page https://signon.service-now.com
5. Type in your cloudadmin e-mail address and password to sign in. You must agree to the Developer Agreement. Scroll all the way to the bottom and check the tick box and click Submit.
6. Fill in the requested information on the use of the platform and click Submit.
7. On the Service Now Developers home Page , click on Request Instance
8. You will see a pop up notifying that your instance is ready. This completes the creation of your Instance in ServiceNow.
Very Important: Copy and save the URL, Username and Password in a notepad file for your future use.
9. Click on Open Instance.
FOLLOW THE BELOW STEPS IF YOU DO NOT RECEIVE YOUR LOGIN CREDENTIALS OR FAILED TO SAVE THE CREDENTIALS IN THE PRIOR STEP.
JUST FOR NOTE - NO ACTION REQUIRED
The Developer instance after 12 hours will go dormant and it will be required to wake it up. If you see this happen log into the developer Site developer.servicenow.com
Once you have logged into the Developer portal you will have to click on Manage and Instances to then wake the environment.
Now that we have a unique instance of ServiceNow, it's time to add your unique user from AD into ServiceNow.
1. In your unique instance of ServiceNow on the home page click on the Filter navigator in the top left corner.
2. Type users and from the navigation bar
3. Under System Security > Users and Groups select Users
4. At the top of the page click New in the Users management Interface
5. Fill in the Fields for your unique user and click Submit at the top right hand corner of the page.
First name: User35SCR
Last name: SCR
Email: [email protected]
Note: Make sure the e-mail attribute you add here matches the e-mail from AD as this will be the SAML attribute we leverage
We will now configure the SAML settings on the your ServiceNow Instance.
1. In the top left hand Filter navigator area type in plugins and click on Plugins below.
2. On the Plugins page to the right of FILTERS type "integration" into the search field.
3. Scroll down until you find Integration - Multiple Provider Single Sign-on Installer
NOTE: Make sure it is exactly matches "Integration - Multi Provider Single Sign-on Installer"
4. Once you found the Plugin has opened click Install
5. On the Activate Plugin window. Confirm the activation on the pop-up by clicking Activate
6. After a few moments the Plugin will have installed and you can click on Close & Reload Form
7. If you now type "Multi" in to the top Left hand Filter navigator area. You will see the option for Multiple Provider SSO
8. Under Multi-Provider SSO select Identity Providers
9. Navigate to the ControlCenter2 Virtual Machine inside the lab environment and on the desktop click on Remote Desktop folder and double click.the ADFS.rdp
10 . On the ADFS virtual machine open Firefox and navigate to your unique devXXX.service-now.com instance. Authenticate as admin
11. In the Filter navigator area type "Multi". Below Multi-Provider SSO select Identity Providers
12. In the top area. Click on New next to the Identity Providers
13. Under Digest select SAML
14. When the Import Identity Metadata window launches. Click Cancel at will be manually configuring the parameters
15. Fill in the following details on the Form
- Name: ADFS
- Identity Provider URL: http://adfs.euc-livefire.com/adfs/services/trust
- Identity Provider's AuthnRequest: https://adfs.euc-livefire.com/adfs/ls
- Identity Provider's SingleLogoutRequest: BLANK
- ServiceNow Homepage: https://devXXX.service-now.com/navpage.do (replace XXX with your unique tenant)
- EntityID/ Issuer : https://devXXX.service-now.com (replace XXX with your unique tenant)
- Audience URI: https://devXXX.service-now.com (replace XXX with your unique tenant)
NOTE: You will not be able to set the Identity Provider to Active or Default yet as the Connection has not been tested.
This will be done at a later stage. Leave the rest of the values Default
16. Scroll down and you will see 3 Tabs starting with Encryption and Signing and ending with Advanced. Select Advanced tab
17 . Next to Single Sign-On Script click the Magnifying Loop icon and in the new Script includes window click MultiSSOv2_SAML2_internal
NOTE: If your Datacenter is the New York Datacenter you might have to use the MultiSSOv2_SAML2_update1 Single Sign On Script. This will be apparent when you get to the section Test & Enable Authentication and you have to TEST Connection
18. Click Submit at the bottom of the page.
19. In the middle pane, select the ADFS Identity Provider
20. Scroll down to the bottom of the page until you find the heading Related Links . Next to X.509 Certificates Click New.
21. In the X509 New Record window add the following:
- Name: ADFS Signing
Copy the text below and paste in the PEM Certificate box at the bottom of the page.
Alternatively you can also copy the contents of the certificate located on the desktop called ADFS signing cert.cer
-----BEGIN CERTIFICATE----- MIIGgzCCBWugAwIBAgIRAO0/w5rB681yy7ux8HAOGXowDQYJKoZIhvcNAQELBQAw gY8xCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAO BgNVBAcTB1NhbGZvcmQxGDAWBgNVBAoTD1NlY3RpZ28gTGltaXRlZDE3MDUGA1UE AxMuU2VjdGlnbyBSU0EgRG9tYWluIFZhbGlkYXRpb24gU2VjdXJlIFNlcnZlciBD QTAeFw0xOTA3MDIwMDAwMDBaFw0yMTA3MDEyMzU5NTlaMF8xITAfBgNVBAsTGERv bWFpbiBDb250cm9sIFZhbGlkYXRlZDEdMBsGA1UECxMUUG9zaXRpdmVTU0wgV2ls ZGNhcmQxGzAZBgNVBAMMEiouZXVjLWxpdmVmaXJlLmNvbTCCASIwDQYJKoZIhvcN AQEBBQADggEPADCCAQoCggEBAL7lHKYbt/OVZac0pmzNdqJdMr6vOjQOgnpNcZXc TpYLA8ZVZqGKCIPZBOJxwn7jZNvLtupqqqernVwuACdrtrfoN2naYDV9cA2qn1Xl GRknQ6OiGWnnBEHBIMSCpC9xeFT8NFa8GGixSpvphcp6Y/+VnVDS3ExMZ3N0YfLa XdCIahOslK1/NCOZjHCes5pjYwjmqgNBhateShgp3BkaggLzqZwINkswY54JlyDB 1Hp+UhnC4BUEm5ZXsifSMLYoUwPw61mHPQl1PZX2k+tYKMa1UYiA3vrzi+LVLtiB /EkWlB8CYN6g7alBwYhG/TyoMd3ZZ2cLoiWjiMLi1Tm5er0CAwEAAaOCAwcwggMD MB8GA1UdIwQYMBaAFI2MXsRUrYrhd+mb+ZsF4bgBjWHhMB0GA1UdDgQWBBRiBX0K WmZkaiTFc1eS3C0IkCj6OTAOBgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAd BgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwSQYDVR0gBEIwQDA0BgsrBgEE AbIxAQICBzAlMCMGCCsGAQUFBwIBFhdodHRwczovL3NlY3RpZ28uY29tL0NQUzAI BgZngQwBAgEwgYQGCCsGAQUFBwEBBHgwdjBPBggrBgEFBQcwAoZDaHR0cDovL2Ny dC5zZWN0aWdvLmNvbS9TZWN0aWdvUlNBRG9tYWluVmFsaWRhdGlvblNlY3VyZVNl cnZlckNBLmNydDAjBggrBgEFBQcwAYYXaHR0cDovL29jc3Auc2VjdGlnby5jb20w LwYDVR0RBCgwJoISKi5ldWMtbGl2ZWZpcmUuY29tghBldWMtbGl2ZWZpcmUuY29t MIIBfwYKKwYBBAHWeQIEAgSCAW8EggFrAWkAdgC72d+8H4pxtZOUI5eqkntHOFeV CqtS6BqQlmQ2jh7RhQAAAWuyY6kjAAAEAwBHMEUCIHSg7ifTJH0mbZ3E8iR49aeY RlceAKzD89qpplhK8fO+AiEA3CQnyyYr2xRRLXxahOWXyl/yEm9SjekhOV/gYcNG YmkAdgBElGUusO7Or8RAB9io/ijA2uaCvtjLMbU/0zOWtbaBqAAAAWuyY6k2AAAE AwBHMEUCIQCVo8KL5rmIcQRzz63C0psYy84kgiCOxS5FwZekHRdv6AIgEYae1D+D fFt02tmKgeh/lhQW8YOPHGJXfh4obi8e6D0AdwBvU3asMfAxGdiZAKRRFf93FRwR 2QLBACkGjbIImjfZEwAAAWuyY6k1AAAEAwBIMEYCIQDIr8Ur6Sjf4PECdGKyxVyB TnP+ybdrsrVtXaOHPhh+zQIhAMnYWJS6wonSMDfmR4/OjiEehKjrHz0R5CjBz1FW VHNoMA0GCSqGSIb3DQEBCwUAA4IBAQCNfPy/xA/c3svC5YoW7ivQ6Pkqp06R2dB9 KGFDPpHWALqgvnc0njPvszh7l/XePD8e2bHMxOdkfP+W9CsJa+yveSh0dnoT8kAy XGPgd4b3tHENFc7tdZnw3nVMiuC9o/au9SbQ4hzMZqbgez/V0iGpQ9ojE8EpAlIj gillnekl61lG2G35V9oHPM6CzM9NCO9e/OZUOFFX8NDl3CbF8VFgl/5Fs7Xl8zs5 8Bxw/x+NATYFTQUeNssGndS3BCJnpOvvQVVsx/ig+VAmv5NAOPn1e9SJFYddfvaL 9E0oxUSkmXMzfJTnAHyhTILh4XfWvjBH4JmyYJ6MUCX7wqlaoMRB -----END CERTIFICATE-----
22 . Click Submit at the bottom of the page. Once you click back into the certificate you should see the Issuer and Subject fields filled in.
23. At the top of the page click Update to reflect the changes made
Let's now Generate the Metada to later import into ADFS.
24. In the middle pane select the ADFS Identity Provider. that you have just created.
25, At the top of the Identity Provider ADFS page next to Update click Generate Metadata
26. This will open a new tab in your browser and give you a the metadata as text format. Copy the text into Notepad and Save as Metadata.xml to the desktop of the ADFS virtual machine.
This will allow us to later import the metadata.xml into ADFS.
1. On the ADFS virtual machine open the AD FS Management interface from the Start Menu.
2. In the AD FS Manager navigate to Relying Party Trusts and right- click and select Add Relying Party Trust in the right hand Actions panel.
3. Select Claims Aware radio button and select Start
4. On the next screen select Import data about the relying party from a file and click Browse ... and select the metadata.xml file from the desktop.
Click Next to confirm
5. Next to Display name type : ServiceNow and select Next
6. Leave the permissions as default to permit everyone and select Next
7. On the Ready to Add Trust page, leave as default and select Next
Note: The Metadata we have imported has set the values of the identifiers and endpoints for this connections.
8.On the next page select Close.
9. Double click back into the ServiceNow Relying Party Trust we have just set up.
10. This will open the Properties of that Relying Party, navigate to the Advanced Tab and select SHA-1 for the Secure Hash algorithm.
11. Navigate to the Endpoints tab in the Properties and click Add SAML...
12. Change endpoint type from SAML Assertion Consumer to SAML Logout
13. Under Binding ensure Post is selected
14. In the Trusted URL: area copy and paste the following : https://adfs.euc-livefire.com/adfs/ls/?wa=wsignout1.0
15. Select OK and OK again to confirm changes
16. In Relying Party Trusts right click ServiceNow and click Edit Claim Issuance Policy
17. Now Click Add Rule ... and ensure Send LDAP attributes as Claims (default) is selected, select Next
18. In the Claim rule name: area type Get Attribute
19 . In the dropdown under Attribute store. select Active Directory
20. Using the dropdown select E-Mail-Addresses as the LDAP Attribute and E-mail Address as the Outgoing Claim Type
21. Click Finish At the bottom of the page to confirm. (Dont Close the window)
22. On the Edit Claim Issuance Policy for ServiceNow select Add Rule...
23. This time select Transform an Incoming Claim as the template click Next
24. Give the Rule the name: Email to NameID
- Select E-mail Address from Incoming claim type dropdown
- Select Name ID from Outgoing claim type
- Select Email from Outgoing name ID format
25. Click Finish at the bottom of the page to confirm the changes and OK to close Claim Issuance Policy page.
Let's test now the Federation between ServiceNow and ADFS before we bring WorkspaceONE Access into the picture.
1. Click back into the Firefox browser to your unique Instance of ServiceNow. Make sure you are logged in as Admin.
2. In the ADFS Identity Provider settings that we setup previously next to Generate Metadata, click Test Connection
3. Notice a new FireFox window opens where you will see the Authentication Page for ADFS requesting authentication.
Enter your custom account UPN and the Password of your unique user that you added to ServiceNow. Click Sign in
4. It will now run a test on the SAML login parameter. You should have all green tickboxes except for SSO Logout Test.
SSO Logout Will FAIL as it cannot do this test. Ignore this for now.
5. At the bottom of the Page select Activate
6. Notice at the top of the ADFS Identity Provider Screen . The status is now "Active".
7. Next to Default. Select the checkbox and select Update at the top.
8. Navigate to the Filter navigator on the left hand side and type "Multi" > Now Select Properties under Administration.
9. In the Properties window Under Enable multiple provider SSO select Yes check box. Select Save at the bottom of the page.
10. To do the final test open now a new browser on your ControlCenter2 virtual machine. Navigate to your unique tenant (ie: https://dev92193.service-now.com) and click Use external login.
11. Now type in your custom unique user account ie amerpso30, created earlier in the users section. select Submit
12. You should now be redirected to your ADFS authentication page. Here put in your UPN e.g. [email protected] and password from AD and select Sign In
You should be authenticated as the user now to ServiceNow
- On your controlcenter2 open FireFox and browse to your unique Workspace ONE Access Admin tenant.
- Select the System Domain from the drop down domain drop down option and authenticate using the administrator account
- In the admin console click on catalog and click Settings
- In the Left Navigation column select SAML metadata under SaaS Apps
- Right click the Identity Provider (IdP) metadata and select save link as ... IDP.xml
- In the browser window that opens navigate to the Software folder on the desktop and open the ADFS folder and select Save
7. Open the Remote Desktop folder on the desktop and RDP to the ADFS server
8. In Server Manager and at the top, select Tools and select AD FS Management
9. When the AD FS Management interface is open navigate to Claims Provider Trusts (Only Active Directory should be present)
10 Right Click Claims Provider Trust and select Add Claims Provider Trust...
11. Click Start on the first Welcome page
12.Then select Import data about the claims provider from a file
13. Select Browse and navigate to Desktop > Software > ADFS and select the idp.xml and click Open. Click Next
14. On the Specify Display Name page and write Workspace ONE Access Livefire in the Display name click Next > Next > Close. Now you will see Active Directory and Workspace ONE Access Livefire as Claims Providers
15. Right Workspace ONE Access Livefire and select Edit Claim Rules...
16. Now Select Add Rule...
17 .From the next page select from the drop down "Send Claim Using a Custom Rule" select Next
18 Type Windows Accountname Claim for the claim rule name
19 .Paste the below into the custom rule field:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
20. Select Finish and OK
- Return to the ControlCenter2 server and open Firefox
- Using your browser go to your unique Workspace ONE Access tenant
- Login with System Domain using user:administrator password:VMware1!
- Now click on Catalog and select Settings
- Navigate to Application Sources under the Saas Apps on the left hand side and select ADFS to configure the App Source.
- Open the firefox browser on a new Tab and Browse to https://adfs.euc-livefire.com/FederationMetadata/2007-06/FederationMetadata.xml
- Select Save File and go to the Downloads folder. (Chrome will download the file automatically)
- Open the File using Notepad++ and copy the contents of the XML by pressing ctrl + a then ctrl + c
- Then go back to the ADFS Application Source configuration on Workspace ONE Access and select next.
- Paste the contents of the FederationMetadata.xml into the URL/XML field. Click NEXT
- Click Next in the Access Policies and SAVE on the Summary Page
- Now head back into the ADFS settings by selecting ADFS in the Application Source page.
- Navigate to Configuration on the left hand side and Select MANUAL. Scroll down and change Username Format to Unspecified
- Enter the following value under Username Value
- NB! there are no spaces in the below syntax
4. Click on Advanced Properties and set Signature Algorithm to SHA256 with RSA and Digest Algorithm to SHA256
5. Select NEXT at the bottom of the page
6. Click SAVE on the Summary page
In certain scenarios admins might want to provide access to the Relying party configured in ADFS directly in the Workspace ONE catalog. This is made possible via the ADFS integration. We are essentially using a redirect to the Relying Party. Let's add the socialcast application to the catalog.
- Log into you unique Workspace ONE Access Admin console using the local directory
- Now navigate to Catalog then select NEW and give it the name: ServiceNow
- Click on Select File below Icon and select the ServiceNow.png file in the Downloads folder and select Open. click NEXT
- In the Configuration page select ADFS Application Source under Authentication Type.
- Now type in the Target URL RPID=https://DEVXXX.Service-Now.com (whereXXX is your unique tenant) and select NEXT
- Click NEXT on the Access Policies Page, and SAVE & ASSIGN on the Summary page
- In the Assign page assign the application to the [email protected] group
- Start typing [email protected] and you will see the Group showing up click it to confirm
- Now set the Deployment Type group to automatic and select SAVE
1. Close the browser and all windows to ensure firefox or chrome has closed properly. Now re-open firefox and navigate to your unique Workspace ONE Access SaaS instance.
2. Now log in as your Unique User in the domain euc-livefire.com you will then notice in the catalog the socialcast application.
3. Now click on Open under ServiceNow icon and you will be redirected to ServiceNow and authenticated without additional credentials as your unique user.
There might be a use-case where an organisation in an SP-INIT Flow wants the configured relying party in ADFS always use a specific claims provider. Through powershell admins have the ability to set the default claims provider for specific relying parties.
On the ADFS Server do the following. Clear the cache on your Firefox browser and re-launch
1. navigating to https://devXXX.service-now.com/ (where XXX is your unique instance) and clicking on "use external login", then specify your unique user and click Submit.
You will be redirected and ADFS Claims providers screen and notice you have WorkspaceONE Access and Active Directory listed. We want to ensure that we are automatically redirected to WorkspaceONE Access instead of seeing this prompt.
2. Open powershell and type
3. You will now be able to see that ServiceNow is set to use both Active Directory and Workspace ONE Access LiveFire as the claims provider (IF empty it is set to use both)
4. Let's now set Workspace ONE Access as the default claims provider
In the same power shell windows now execute the below
Set-AdfsRelyingPartyTrust -TargetName "ServiceNow" -ClaimsProviderName @("WorkspaceONE Access Livefire")
Plese note: the name of your claims provider should exactly match your adfs configuration
5. Confirm the changes by typing the same command to get the relying party trust information. You will notice now that WorkspaceONE Access is listed as the only ClaimsProvierName
6. Now close your browser and re-open to https://devXXX.service-now.com (where XXX is your uniques instance)
7. Click on Use External Login on the next page type in your unique user notice now that you will automatically be re-directed to WorkspaceONE click Next. After authenticated you will automatically be logged into ServiceNow.
Observe you weren't prompted to chose the claim provider as in the original test.
NOTE: In order to reverse the above simply re-add Active Directory as another claims provider or leave blank to set to defualt.
Set-AdfsRelyingPartyTrust -TargetName "ServiceNow" -ClaimsProviderName @("WorkspaceONE Access", "Active Directory")