Sign up for a ServiceNow Tenant

1. Open a browser on your physical or virtual machine and navigate to https://developer.servicenow.com

2. Click on Sign up and enter your details for the Developer Account. Make sure you use your cloudadmin account for e-mail. This is the one you created on Day1 of the labs. (example: [email protected]) Password can be VMware1!. Click Sign Up at the bottom of the page once all fields have been entered.

NOTE: _{We highly recommend documenting all of the URLs in this lab as well as the credentials in a separate note taking application.}

3. Check your e-mail on the login.microsoft.com and click the Verify Email button in the Welcome Email that has come from Service Now. The link will take you to a page click Sign In on that page that says Thank You!

4. Now that you have created an account, you will get automatically signed in to your Developer console. If not, browse manually to the Sign In Page  https://signon.service-now.com

5. Type in your cloudadmin e-mail address and password to sign in. You must agree to the Developer Agreement. Scroll all the way to the bottom and check the tick box and click Submit.

6. Fill in the requested information on the use of the platform and click Submit.

7. On the Service Now Developers home Page ,  click on Request Instance

8. You will see a pop up notifying that your instance is ready. This completes the creation of your Instance in ServiceNow.

Very Important: Copy and save the URL, Username and Password in a notepad file for your future use.

9. Click on Open Instance.

FOLLOW THE BELOW STEPS IF YOU DO NOT RECEIVE YOUR LOGIN CREDENTIALS OR FAILED TO SAVE THE CREDENTIALS IN THE PRIOR STEP.

1. On the ADFS virtual machine open the AD FS Management interface from the Start Menu.

2. In the AD FS Manager navigate to Relying Party Trusts and right- click and select  Add Relying Party Trust in the right hand Actions panel.

3. Select Claims Aware radio button and select Start

4. On the next screen select Import data about the relying party from a file and click Browse ... and select the metadata.xml file from the desktop.

Click Next to confirm

5. Next to Display name type : ServiceNow and select Next

6. Leave the permissions as default to permit everyone and select Next

7. On the Ready to Add Trust page, leave as default and select  Next

Note: The Metadata we have imported has set the values of the identifiers and endpoints for this connections.

8.On the next page select Close.

9. Double click back into the ServiceNow Relying Party Trust we have just set up.

10. This will open the Properties of that Relying Party, navigate to the Advanced Tab and select SHA-1 for the Secure Hash algorithm.

11. Navigate to the Endpoints tab in the Properties and click Add SAML...

12. Change endpoint type from SAML Assertion Consumer to SAML Logout

13. Under Binding ensure  Post is selected

14. In the Trusted URL: area copy and paste the following : https://adfs.euc-livefire.com/adfs/ls/?wa=wsignout1.0

15. Select  OK and OK again to confirm changes

16. In Relying Party Trusts right click ServiceNow and click Edit Claim Issuance Policy

17. Now Click Add Rule ... and ensure  Send LDAP attributes as Claims (default) is selected, select Next

18. In the Claim rule name: area type Get Attribute

19 . In the dropdown under Attribute store. select Active Directory

20. Using the dropdown select E-Mail-Addresses as the LDAP Attribute and E-mail Address as the Outgoing Claim Type

21. Click Finish At the bottom of the page to confirm. (Dont Close the window)

22. On the Edit Claim Issuance Policy for ServiceNow select Add Rule...

23. This time select Transform an Incoming Claim as the template click Next

24. Give the Rule the name: Email to NameID

• Select E-mail Address from Incoming claim type dropdown
• Select Name ID from Outgoing claim type
• Select Email from Outgoing name ID format

25. Click Finish at the bottom of the page to confirm the changes and OK to close Claim Issuance Policy page.

Let's test now the Federation between ServiceNow and ADFS before we bring WorkspaceONE Access into the picture.

1. Click back into the Firefox browser to your unique Instance of ServiceNow. Make sure you are logged in as Admin.

2. In the ADFS Identity Provider settings that we setup previously next to Generate Metadata, click Test Connection

3. Notice a new FireFox window opens where you will see the Authentication Page for ADFS requesting authentication.

Enter your custom account UPN and the Password of your unique user that you added to ServiceNow. Click Sign in

4. It will now run a test on the SAML login parameter. You should have all green tickboxes except for SSO Logout Test.

SSO Logout Will FAIL as it cannot do this test. Ignore this for now.

5. At the bottom of the Page select Activate

6. Notice at the top of the  ADFS Identity Provider Screen . The status is now "Active".

7.  Next to Default. Select the checkbox and select Update at the top.

8. Navigate to the Filter navigator on the left hand side and type "Multi" > Now  Select Properties under Administration.

9. In the Properties window Under Enable multiple provider SSO select Yes check box. Select Save at the bottom of the page.  

10. To do the final test open now a new browser on your ControlCenter2 virtual machine. Navigate to your unique tenant (ie: https://dev92193.service-now.com) and click Use external login.

11. Now type in your custom unique user account ie amerpso30, created earlier in the users section. select Submit

12. You should now be redirected to your ADFS authentication page. Here put in your UPN e.g. [email protected] and password from AD and select Sign In

You should be authenticated as the user now to ServiceNow

1. On your controlcenter2 open FireFox and browse to your unique Workspace ONE Access Admin tenant.
2. Select the System Domain from the drop down domain drop down option and authenticate using the administrator account
3. In the admin console click on catalog and click Settings
4. In the Left Navigation column select SAML metadata under SaaS Apps
5. Right click the Identity Provider (IdP) metadata and select save link as ... IDP.xml
6. In the browser window that opens navigate to the Software folder on the desktop and open the ADFS folder and select Save

7. Open the Remote Desktop folder on the desktop and RDP to the ADFS server

8. In Server Manager and at the top, select Tools and select  AD FS Management

9. When the AD FS Management interface is open navigate to Claims Provider Trusts (Only Active Directory should be present)

10 Right Click Claims Provider Trust and select Add Claims Provider Trust...

11. Click Start on the first Welcome page

12.Then select Import data about the claims provider from a file

13. Select Browse and navigate to Desktop > Software > ADFS and select the idp.xml and click Open. Click Next

14. On the Specify Display Name page and write Workspace ONE Access Livefire in the Display name click Next >  Next > Close. Now you will see Active Directory and Workspace ONE Access Livefire as Claims Providers

15. Right Workspace ONE Access Livefire and select Edit Claim Rules...

16. Now Select Add Rule...

17 .From the next page select from the drop down "Send Claim Using a Custom Rule" select Next

18 Type Windows Accountname Claim for the claim rule name

19 .Paste the below into the custom rule field:

c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] == "urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer = "AD AUTHORITY", OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

20. Select Finish and OK

1. Return to the ControlCenter2 server and open Firefox
2. Using your browser go to your unique Workspace ONE Access tenant
3. Login with System Domain using user:administrator password:VMware1!
4. Now click on Catalog and select Settings
5. Navigate to Application Sources under the Saas Apps on the left hand side and select ADFS to configure the App Source.

1. Open the firefox  browser on a new Tab and  Browse to https://adfs.euc-livefire.com/FederationMetadata/2007-06/FederationMetadata.xml
2. Select Save File and go to the Downloads folder. (Chrome will download the file automatically)
3. Open the File using Notepad++ and copy the contents of the XML by pressing ctrl + a then ctrl + c
4. Then go back to the ADFS Application Source configuration on Workspace ONE Access and select next.
5. Paste the contents of the FederationMetadata.xml into the URL/XML field.  Click NEXT
6. Click Next in the Access Policies and SAVE on the Summary Page

1. Now head back into the ADFS settings by selecting ADFS in the Application Source page.
2. Navigate to Configuration on the left hand side and Select MANUAL. Scroll down and change Username Format to Unspecified
3. Enter the following value under Username Value
   • NB! there are no spaces in the below syntax

${user.domain}\${user.userName}

4. Click on Advanced Properties and set Signature Algorithm to SHA256 with RSA and Digest Algorithm to SHA256

5. Select NEXT at the bottom of the page

6. Click SAVE on the Summary page

In certain scenarios admins might want to provide access to the Relying party configured in ADFS directly in the Workspace ONE catalog. This is made possible via the ADFS integration. We are essentially using a redirect to the Relying Party. Let's add the socialcast application to the catalog.

1. Log into you unique Workspace ONE Access Admin console using the local directory
2. Now navigate to Catalog then select NEW and give it the name: ServiceNow
3. Click on Select File below Icon and select the ServiceNow.png  file in the Downloads folder and select Open. click NEXT
4. In the Configuration page select ADFS Application Source under Authentication Type.
5. Now type in the Target URL RPID=https://DEVXXX.Service-Now.com (whereXXX is your unique tenant) and select NEXT
6. Click NEXT on the Access Policies Page, and  SAVE & ASSIGN on the Summary page
7. In the Assign page assign the application to the [email protected] group
8. Start typing [email protected] and you will see the Group showing up click it to confirm
9. Now set the Deployment Type group to automatic and select SAVE

1. Close the browser and all windows to ensure firefox or chrome has closed properly. Now re-open firefox and navigate to your unique Workspace ONE Access SaaS instance.

2. Now log in as your Unique User in the domain euc-livefire.com you will then notice in the catalog the socialcast application.

3. Now click on Open under ServiceNow icon and you will be redirected to ServiceNow and authenticated without additional credentials as your unique user.

There might be a use-case where an organisation in an SP-INIT Flow wants the configured relying party in ADFS always use a specific claims provider. Through powershell admins have the ability to set the default claims provider for specific relying parties.  

On the ADFS Server do the following. Clear the cache on your Firefox browser and re-launch

1. navigating to https://devXXX.service-now.com/ (where XXX is your unique instance) and clicking on "use external login", then specify your unique user and click Submit.

You will be redirected and ADFS Claims providers screen and notice you have WorkspaceONE Access and Active Directory listed. We want to ensure that we are automatically redirected to WorkspaceONE Access instead of seeing this prompt.

2. Open powershell and type

Get-AdfsRelyingPartyTrust

3. You will now be able to see that ServiceNow is set to use both Active Directory and Workspace ONE Access LiveFire as the claims provider (IF empty it is set to use both)

4. Let's now set Workspace ONE Access as the default claims provider

 In the same power shell windows now execute the below 

Set-AdfsRelyingPartyTrust -TargetName "ServiceNow" -ClaimsProviderName @("WorkspaceONE Access Livefire")

Plese note: the name of your claims provider should exactly match your adfs configuration

5. Confirm the changes by typing the same command to get the relying party trust information. You will notice now that WorkspaceONE Access is listed as the only ClaimsProvierName 

Get-AdfsRelyingPartyTrust

6. Now close your browser and re-open to https://devXXX.service-now.com (where XXX is your uniques instance)

7. Click on Use External Login  on the next page type in your unique user notice now that you will automatically be re-directed to WorkspaceONE click Next.  After authenticated you will automatically be logged into ServiceNow.

Observe you weren't prompted to chose the claim provider as in the original test.

NOTE:  In order to reverse the above simply re-add Active Directory as another claims provider or leave blank to set to defualt. 

 Set-AdfsRelyingPartyTrust -TargetName "ServiceNow" -ClaimsProviderName @("WorkspaceONE Access", "Active Directory")