ADFS as Application Source in ACCESS (Service Now)
Part 1: Creating a ServiceNow Developer Instance
This lab will address the scenario in which customers have an on-premise ADFS server. Customer that have federated their application with ADFS can now leverage the authentication methods of WorkspaceONE Access. This requires a simple setup of Claims Provider Trust with WorkspaceONE Access.
In this lab we will use ServiceNow as the Relying Party Trust and WorkspaceONE Access as the Claims Provider Trust.
The order of the LAB
Part 1: Setup a ServiceNow Developer Instance
Part 2: Add ServiceNow as RelyingParty to ADFS
Part 3: Adding Access As Claims Provider in ADFS
Part 4: Adding ADFS As Application Source to WorkspaceOne Access
Sign up for a ServiceNow Tenant
1. Open a browser on your physical or virtual machine and navigate to https://developer.servicenow.com
2. Click on Sign up and enter your details for the Developer Account. Make sure you use your cloudadmin account for e-mail. This is the one you created on Day1 of the labs. (example: [email protected]) Password can be VMware1!. Click Sign Up at the bottom of the page once all fields have been entered.
NOTE: We highly recommend documenting all of the URLs in this lab as well as the credentials in a separate note taking application.
3. Check your e-mail on the login.microsoft.com and click the Verify Email button in the Welcome Email that has come from Service Now. The link will take you to a page click Sign In on that page that says Thank You!
4. Now that you have created an account. Let's sign in to the Developer Site. If you don't already see a Sign In Page click on https://signon.service-now.com
5. Type in your cloudadmin e-mail address and password to sign in. You must agree to the Developer Agreement. Scroll all the way to the bottom and check the tick box and click Submit.
6. Fill in the requested information on the use of the platform and click Submit.
7. On the Service Now Developers home Page click on the Manage Tab and click Instance and click on Request Instance
8. You will now be requested to give a reason for this request. Simply put what you are hoping to test. "Integration with ADFS, ServiceNow should function as the relying part trust." - Click I understand
9. Finally choose the Service now release you would like to user and click Request Instance. (New York is the newest and vendor recommended version)
Very Important: Make sure you note your admin user and password on the next page after the instance has been created.
10. You will now see your instances if you click on the Manage > Instances tab on the top menu. Note your Unique URL that should start with devXXX.service-now.com
11. Click on your unique Dev Instance and sign in with the admin credentials given to you on the page above. You will be asked to set a new password.
This completes the creation of your Instance in ServiceNow.
JUST FOR NOTE - NO ACTION REQUIRED
The Developer instance after 12 hours will go dormant and it will be required to wake it up. If you see this happen log into the developer Site developer.servicenow.com
Once you have logged into the Developer portal you will have to click on Manage and Instances to then wake the environment.
Setup User in ServiceNow
Now that we have a unique instance of ServiceNow, it's time to add your unique user from AD into ServiceNow.
1. In your unique instance of ServiceNow on the home page click on the Filter navigator in the top left corner.
2. Type users and from the navigation bar
3. Under System Security > Users and Groups select Users
4. At the top of the page click New in the Users management Interface
5. Fill in the Fields for your unique user and click Submit at the top right hand corner of the page.
First name: User35SCR
Last name: SCR
Email: [email protected]
Note: Make sure the e-mail attribute you add here matches the e-mail from AD as this will be the SAML attribute we leverage
Setting up Identity Provider setting in ServiceNow
We will now configure the SAML settings on the your ServiceNow Instance.
1. In the top left hand Filter navigator area type in plugins and click on Plugins below.
2. On the Plugins page to the right of FILTERS type "integration" into the search field.
3. Scroll down until you find Integration - Multiple Provider Single Sign-on Installer
NOTE: Make sure it is exactly matches "Integration - Multi Provider Single Sign-on Installer"
4. Once you found the Plugin has opened click Install
5. On the Activate Plugin window. Confirm the activation on the pop-up by clicking Activate
6. After a few moments the Plugin will have installed and you can click on Close & Reload Form
7. If you now type "Multi" in to the top Left hand Filter navigator area. You will see the option for Multiple Provider SSO
8. Under Multi-Provider SSO select Identity Providers
9. Navigate to the ControlCenter2 Virtual Machine inside the lab environment and on the desktop click on Remote Desktop folder and double click.the ADFS.rdp
10 . On the ADFS virtual machine open Firefox and navigate to your unique devXXX.service-now.com instance. Authenticate as admin
11. In the Filter navigator area type "Multi". Below Multi-Provider SSO select Identity Providers
12. In the top area. Click on New next to the Identity Providers
13. Under Digest select SAML
14. When the Import Identity Metadata window launches. Click Cancel at will be manually configuring the parameters
15. Fill in the following details on the Form
- Name: ADFS
- Identity Provider URL: http://adfs.euc-livefire.com/adfs/services/trust
- Identity Provider's AuthnRequest: https://adfs.euc-livefire.com/adfs/ls
- Identity Provider's SingleLogoutRequest: BLANK
- ServiceNow Homepage: https://devXXX.service-now.com/navpage.do (replace XXX with your unique tenant)
- EntityID/ Issuer : https://devXXX.service-now.com (replace XXX with your unique tenant)
- Audience URI: https://devXXX.service-now.com (replace XXX with your unique tenant)
NOTE: You will not be able to set the Identity Provider to Active or Default yet as the Connection has not been tested.
This will be done at a later stage. Leave the rest of the values Default
16. Scroll down and you will see 3 Tabs starting with Encryption and Signing and ending with Advanced. Select Advanced tab
17 . Next to Single Sign-On Script click the Magnifying Loop icon and in the new Script includes window click MultiSSO_SAML2_Update1
NOTE: If your Datacenter is the New York Datacenter you might have to use the MultiSSOv2_SAML2_internal Single Sign On Script. This will be apparent when you get to the section Test & Enable Authentication and you have to TEST Connection
18. Click Submit at the bottom of the page.
19. In the middle pane, select the ADFS Identity Provider
20. Scroll down to the bottom of the page until you find the heading Related Links . Next to X.509 Certificates Click New.
21. In the X509 New Record window add the following:
- Name: ADFS Signing
Copy the text below and paste in the PEM Certificate box at the bottom of the page.
Alternatively you can also copy the contents of the certificate located on the desktop called ADFS signing cert.cer
-----BEGIN CERTIFICATE----- MIIC3DCCAcSgAwIBAgIQFbvkYdFx4qVCLeNRwo1NWTANBgkqhkiG9w0BAQsFADAq MSgwJgYDVQQDEx9BREZTIFNpZ25pbmcgLSBldWMtbGl2ZWZpcmUuY29tMB4XDTE5 MDcwMzA5MDAzNFoXDTIwMDcwMjA5MDAzNFowKjEoMCYGA1UEAxMfQURGUyBTaWdu aW5nIC0gZXVjLWxpdmVmaXJlLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAJ4I7Uzkyui6X4br8LrrVfaRgS+Z9izZZnXDgxczONL+mQ1aKks+e116 mHMEaWNuzVjaK3NqsHzPycBIGPNmSM96qdrWcC+zoz8CmmjnDbWUwlU5LywYs1QN YZvugi0DtIsnR/c6dDodAc7C44o6gUy1emwTxOHF1zx19xnCWsxGmR4q3liakWwk n4oaUwSPG3ZBwVbSnji/AZrEDiFu+nz+rkAMAmQ/YnYpwRWhR0ru/sbqjFzkvBb8 lhPdz4HJWe43Vi65Ms+9a4FW4uIqUq3jRQxqtlzfkJdlEaa2hf/k5dgkfakaAuw+ GCJyzfayIAX+i9P/TwirwTImgHqbrv0CAwEAATANBgkqhkiG9w0BAQsFAAOCAQEA Apa4igdrsvXPD3RcNgcjbYjLUu8dAKkoSIfVLjKJ7GzWEqhr5uIpgNhqgIQpK+yT rDlMG7kgewWoRhNqpccduRcceRwYXQZzWmlVxOFoCVDIGIMxmat5P2WnYQc/r8IF QjgGhXv4KyGGSLAs5jAbbInRAN+ViyN/rlji/8jAQr8Cf9o2WE/ZHP1bheGFTIam /0nOdjDSo+/3rCvx9NPuTn7B99peXeg8sUvKyH8Oj3kgglqODfY0dlhirvuMtgKM 2FdnFdT00h//1XT90A2LVWgdSeYFRWM6KMYYvvfE2DtZByHzQy3f4k3kae6TBrDe T6FSNfmpB7pYssoeOVoM6Q== -----END CERTIFICATE-----
22 . Click Submit at the bottom of the page. Once you click back into the certificate you should see the Issuer and Subject fields filled in.
23. At the top of the page click Update to reflect the changes made
Let's now Generate the Metada to later import into ADFS.
24. In the middle pane select the ADFS Identity Provider. that you have just created.
25, At the top of the Identity Provider ADFS page next to Update click Generate Metadata
26. This will open a new tab in your browser and give you a the metadata as text format. Copy the text into Notepad and Save as Metadata.xml to the desktop of the ADFS virtual machine.
This will allow us to later import the metadata.xml into ADFS.
Part 2 : Adding A Rely Party Trust
1. On the ADFS virtual machine open the ADFS Management interface from the Start Menu.
2. In the AD FS Manager navigate to Relying Party Trusts and right- click and select Add Relying Party Trust in the right hand Actions panel.
3. Select Claims Aware radio button and select Start
4. On the next screen select Import data about the relying party from a file and click Browse ... and select the metadata.xml file from the desktop.
Click Next to confirm
5. Next to Display name type : ServiceNow and select Next
6. Leave the permissions as default to permit everyone and select Next
7. On the Ready to Add Trust page, leave as default and select Next
Note: The Metadata we have imported has set the values of the identifiers and endpoints for this connections.
8.On the next page select Close.
9. Double click back into the ServiceNow Relying Party Trust we have just set up.
10. This will open the Properties of that Relying Party, navigate to the Advanced Tab and select SHA-1 for the Secure Hash algorithm.
11. Navigate to the Endpoints tab in the Properties and click Add SAML...
12. Change endpoint type from SAML Assertion Consumer to SAML Logout
13. Under Binding ensure Post is selected
14. In the Trusted URL: area copy and paste the following : https://adfs.euc-livefire.com/adfs/ls/?wa=wsignout1.0
15. Select OK and OK again to confirm changes
16. In Relying Party Trusts right click ServiceNow and click Edit Claim Issuance Policy
17. Now Click Add Rule ... and ensure Send LDAP attributes as Claims (default) is selected, select Next
18. In the Claim rule name: area type Get Attribute
19 . In the dropdown under Attribute store. select Active Directory
20. Using the dropdown select E-Mail-Addresses as the LDAP Attribute and E-mail Address as the Outgoing Claim Type
21. Click Finish At the bottom of the page to confirm. (Dont Close the window)
22. On the Edit Claim Issuance Policy for ServiceNow select Add Rule...
23. This time select Transform an Incoming Claim as the template click Next
24. Give the Rule the name: Email to NameID
- Select E-mail Address from Incoming claim type dropdown
- Select Name ID from Outgoing claim type
- Select Email from Outgoing name ID format
25. Click Finish at the bottom of the page to confirm the changes and OK to close Claim Issuance Policy page.
Part 3: Test & Enable Authentication for SAML
Let's test now the Federation between ServiceNow and ADFS before we bring WorkspaceONE Access into the picture.
1. Click back into the Firefox browser to your unique Instance of ServiceNow. Make sure you are logged in as Admin.
2. In the ADFS Identity Provider settings that we setup previously next to Generate Metadata, click Test Connection
3. Notice a new FireFox window opens where you will see the Authentication Page for ADFS requesting authentication.
Enter your custom account UPN and the Password of your unique user that you added to ServiceNow. Click Sign in
4. It will now run a test on the SAML login parameter. You should have all green tickboxes except for SSO Logout Test.
SSO Logout Will FAIL as it cannot do this test. Ignore this for now.
5. At the bottom of the Page select Activate
6. Notice at the top of the ADFS Identity Provider Screen . The status is now "Active".
7. Next to Default. Select the checkbox and select Update at the top.
8. Navigate to the Filter navigator on the left hand side and type "Multi" > Now Select Properties under Administration
9. In the Properties window Under Enable multiple provider SSO select Yes check box. Select Save at the bottom of the page.
10. To do the final test open now a new browser on your ControlCenter2 virtual machine. Navigate to your unique tenant (ie: https://dev92193.service-now.com) and click Use external login.
11. Now type in your custom unique user account ie User35crsj, created earlier in the users section. select Submit
12. You should now be redirected to your ADFS authentication page. Here put in your UPN e.g. [email protected] and password from AD and select Sign In
You should be authenticated as the user now to ServiceNow
Part 4: Adding Access as Claims Provider in ADFS
- On your controlcenter2 open FireFox and browse to your unique Workspace ONE Access Admin tenant.
- Select the System Domain from the drop down domain drop down option and authenticate using the administrator account
- In the admin console click on catalog and click Settings
- In the Left Navigation column select SAML metadata under SaaS Apps
- Right click the Identity Provider (IdP) metadata and select save link as ... IDP.xml
- In the browser window that opens navigate to the Software folder on the desktop and open the ADFS folder and select Save
7. Open the Remote Desktop folder on the desktop and RDP to the ADFS server
8. In Server Manager and at the top, select Tools and select AD FS Management
9. When the AD FS Management interface is open navigate to Claims Provider Trusts (Only Active Directory should be present)
10 Right Click Claims Provider Trust and select Add Claims Provider Trust...
11. Click Start on the first Welcome page
12.Then select Import data about the claims provider from a file
13. Select Browse and navigate to Desktop > Software > ADFS and select the idp.xml and click Open. Click Next
14. On the Specify Display Name page and write Workspace ONE Access Livefire in the Display name click Next > Next > Close. Now you will see Active Directory and Workspace ONE Access Livefire as Claims Providers
15. Right Workspace ONE Access Livefire and select Edit Claim Rules...
16. Now Select Add Rule...
17 .From the next page select from the drop down "Send Claim Using a Custom Rule" select Next
18 Type Windows Accountname Claim for the claim rule name
19 .Paste the below into the custom rule field:
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);
20. Select Finish and OK
Part 5:Add ADFS as Application source to Workspace ONE Access
- Return to the ControlCenter2 server and open Firefox
- Using your browser go to your unique Workspace ONE Access tenant
- Login with System Domain using user:administrator password:VMware1!
- Now click on Catalog and select Settings
- Navigate to Application Sources under the Saas Apps on the left hand side and select ADFS to configure the App Source.
- Open the firefox browser on a new Tab and Browse to https://adfs.euc-livefire.com/FederationMetadata/2007-06/FederationMetadata.xml
- Select Save File and go to the Downloads folder. (Chrome will download the file automatically)
- Open the File using Notepad++ and copy the contents of the XML by pressing ctrl + a then ctrl + c
- Then go back to the ADFS Application Source configuration on Workspace ONE Access and select next.
- Paste the contents of the FederationMetadata.xml into the URL/XML field. Click NEXT
- Click Next in the Access Policies and SAVE on the Summary Page
- Now head back into the ADFS settings by selecting ADFS in the Application Source page.
- Navigate to Configuration on the left hand side and change Username Format to Unspecified
- Enter the following value under Username Value
- NB! there are no spaces in the below syntax
4. Click on Advanced Properties and set Signature Algorithm to SHA256 with RSA and Digest Algorithm to SHA256
5. Select NEXT at the bottom of the page
6. Click SAVE on the Summary page
Adding ADFS app to Workspace ONE Access
In certain scenarios admins might want to provide access to the Relying party configured in ADFS directly in the Workspace ONE catalog. This is made possible via the ADFS integration. We are essentially using a redirect to the Relying Party. Let's add the socialcast application to the catalog.
- Log into you unique Workspace ONE Access Admin console using the local directory
- Now navigate to Catalog then select NEW and give it the name: ServiceNow
- Click on Select File below Icon and select the ServiceNow.png file in the Downloads folder and select Open. click NEXT
- In the Configuration page select ADFS Application Source under Authentication Type.
- Now type in the Target URL RPID=https://DEVXXX.Service-Now.com (whereXXX is your unique tenant) and select NEXT
- Click NEXT on the Access Policies Page, and SAVE & ASSIGN on the Summary page
- In the Assign page assign the application to the [email protected] group
- Start typing [email protected] and you will see the Group showing up click it to confirm
- Now set the Deployment Type group to automatic and select SAVE
1. Close the browser and all windows to ensure firefox or chrome has closed properly. Now re-open firefox and navigate to your unique Workspace ONE Access SaaS instance.
2. Now log in as your Unique User in the domain euc-livefire.com you will then notice in the catalog the socialcast application.
3. Now click on Open under ServiceNow icon and you will be redirected to ServiceNow and authenticated without additional credentials as your unique user.
Part 6 : ExtraCurricular: Setting Workspace ONE Access as the default claim provider
There might be a use-case where an organisation in an SP-INIT Flow wants the configured relying party in ADFS always use a specific claims provider. Through powershell admins have the ability to set the default claims provider for specific relying parties.
On the ADFS Server do the following. Clear the cache on your Firefox browser and re-launch
1. navigating to https://devXXX.service-now.com/ (where XXX is your unique instance) and clicking on "use external login", then specify your unique user and click Submit.
You will be redirected and ADFS Claims providers screen and notice you have WorkspaceONE Access and Active Directory listed. We want to ensure that we are automatically redirected to WorkspaceONE Access instead of seeing this prompt.
2. Open powershell and type
3. You will now be able to see that ServiceNow is set to use both Active Directory and Workspace ONE Access LiveFire as the claims provider (IF empty it is set to use both)
4. Let's now set Workspace ONE Access as the default claims provider
In the same power shell windows now execute the below
Set-AdfsRelyingPartyTrust -TargetName "ServiceNow" -ClaimsProviderName @("WorkspaceONE Access Livefire")
Plese note: the name of your claims provider should exactly match your adfs configuration
5. Confirm the changes by typing the same command to get the relying party trust information. You will notice now that WorkspaceONE Access is listed as the only ClaimsProvierName
6. Now close your browser and re-open to https://devXXX.service-now.com (where XXX is your uniques instance)
7. Click on Use External Login on the next page type in your unique user notice now that you will automatically be re-directed to WorkspaceONE click Next. After authenticated you will automatically be logged into ServiceNow.
Observe you weren't prompted to chose the claim provider as in the original test.
NOTE: In order to reverse the above simply re-add Active Directory as another claims provider or leave blank to set to defualt.
Set-AdfsRelyingPartyTrust -TargetName "ServiceNow" -ClaimsProviderName @("WorkspaceONE Access", "Active Directory")