ServiceNow

This guide provides information on how to configure provisioning for ServiceNow in your Okta org.

Prerequisites

  • The assumption is that you have already added a ServiceNow app instance in Okta, and have configured SSO. See How to Configure SAML 2.0 for ServiceNow. For general information about adding applications, see Add existing app integrations.
  • Okta requirements:
    1. Make sure you have configured your complete Base URL under the General tab in Okta.

    2. Configure your Sign-On options on the next tab.

    3. Click Next to return you to the Provisioning tab.

Provisioning features

The following Provisioning features are supported:

Push new users New users created through Okta will also be created in the third-party application.
Push user deactivation Deactivating the user or disabling the user's access to the application through Okta will deactivate the user in the third-party application.
Push profile updates Updates made to the user's profile through Okta will be pushed to the third-party application.
Import new users New users created in the third-party application will be downloaded and turned into new AppUser objects, for matching against existing Okta users.
Import profile updates Updates made to a user's profile in the third-party application will be downloaded and applied to the profile fields stored locally in Okta. If the app is the system of record for the user, changes made to core profile fields (email, first name, last name, etc) will be applied to the Okta user profile. If the app is NOT the system of record for the user, only changes made to app-specific fields will be applied to the local user profile.
Group Push Groups and their members can be pushed to remote systems. You can find more information about using group push operations (including Group Push enhancements) here: Manage Group Push.
Reactivate Users Reactivating the user through Okta will reactivate the user in the third-party application.
Sync Password Pushes user password from Okta to the third-party application.

Procedures

Configure ServiceNow provisioning

Configure your Provisioning settings for ServiceNow as follows:

  1. Check the Enable API Integration box.

  2. Enter your ServiceNow API Credentials:

    • Admin User Name: Enter a ServiceNow username with administrator permissions for your organization.

    • Admin Password: Enter a password for your administrator account (above).

    • Validate the credentials by clicking Test API Credentials.

  3. Click Save.

  4. Select To App in the left panel, then select the Provisioning Features you want to enable.

  5. You can now assign people to the app (if needed) and finish the application setup.

Add user profile attributes with ServiceNow Schema Discovery

ServiceNow supports User's Schema Discovery, so you can add extra attributes to User's Profile.

To add extra attributes to a User’s Profile, follow the instructions below:

  1. In the Okta Admin Console, go to Directory > Profile Editor.

  2. Select the APPS section in the left navigation pane, then find your app in the list. Click the Profile edit icon to open the Profile Editor page.

  3. Check the list of attributes, and if you decide you need more, click Add Attribute. A list of extended attributes will appear.

  4. Select the attributes you want to add, then click Save.

  5. The added attributes should be present after refreshing the page in the list of Custom Attribures. You can now import and push these user attribute values to or from ServiceNow.

  6. You can now create mappings for your custom attributes.

Profile mappings

Default attributes

You can check your default attributes in the Directory > Profile Editor> APPS section in the left navigation pane, then find your app in the list.

Active Directory mapping

There are predefined Active Directory (AD) mappings for certain fields that are not modifiable and used only in cases where AD is configured as the source.

Manager/Assistant functions

Here are some examples. For more details, see Directory and Workday functions, and Popular Expressions in Okta developer documentation.

Function

Description

Example

getManagerUser(managerSource).$attribute

Gets the manager’s Okta user attribute values

getManagerUser("active_directory").firstName

getManagerAppUser(managerSource, attributeSource).$attribute

Gets the manager’s app user attribute values for the app user of any appinstance

getManagerAppUser("active_directory", "google").firstName

getAssistantUser(assistantSource).$attribute

Gets the assistant’s Okta user attribute values

getAssistantUser("active_directory").firstName

getAssistantAppUser(assistantSource, attributeSource).$attribute

Gets the assistant’s app user attribute values for the app user of any appinstance.

getAssistantAppUser("active_directory", "google").firstName

Pass the correct app name for the managerSource, assistantSource, and attributeSource parameters.

At this time, only active_directory is supported for managerSource and assistantSource.

Function Description

hasDirectoryUser()

Checks whether the user has an Active Directory assignment and returns a boolean

findDirectoryUser()

Finds the Active Directory App user object and returns that object, or null if the user has more than one or no Active Directory assignments

Custom mapping

If you have custom mapping for your existent ServiceNow app.

If you map the custom attribute from Okta profile to a field that is hard-coded in the ServiceNow connector and not used by the org, then assign that hard coded field to the appropriate column name in ServiceNow - make this mapping manually for new ServiceNow app (as described in Schema Discovery).

For example, let's say there is a T-shirt Size attribute in the Okta profile. And the title attribute is not used by the org today:

  1. The customer maps the user.tshirt to ServiceNow appuser.title:

    servicenow_new_13

  2. In the Provisioning section of the ServiceNow app, the user then enters tshirt as the column name that title maps to.

    servicenow_new_14

  3. Now, (after adding attributes as described in Schema Discovery) it should looks like:

    servicenow_new_15

Limitations

  1. If the ServiceNow app contains two users with different User IDs and the same email (for example email=test_email@test.com), and you try to create a user with the same email and username (for example Okta UserName=Okta email = test_email@test.com) from the Okta side, you receive an error:

    servicenow_new_16

    servicenow_new_17

  2. In ServiceNow UD.1.0.4 version, the Time Zone user property was moved to the user group level: once the ServiceNow UD app is assigned to a user group, the admin can select the Time Zone value for all users in this group. Also, the value now is populated from the dropdown list instead of the regular text field as before.

    The change above will be applied for all applications created with the new connector version. For existing connectors there are two options:

    • Ask support to migrate the UD schema for this app to an updated version. Note that all imported custom user attributes will be dropped and you should re-add them and re-import users to fetch attributes data from ServiceNow.

    • Continue using the connector without an update.

    To determine if you have the Time Zone attribute on the group level, try to assign the ServiceNow application to a user group:

    No Time Zone (old version):

    servicenow_new_18

    With Time Zone (new version):

    servicenow_new_19

  3. If a ServiceNow app instance has users assigned to the new Cost center, Company, or Department that haven’t been imported into Okta previously, you will need to refresh application data before importing users, otherwise, the import will fail with the An error occurred during import message.

    To refresh application data, select the Applications tab, select More, then click Refresh Application Data. Application data will be updated in the background in several minutes.

  4. Disable Enumerated Lists

    • If Disable Enumerated Lists is checked, it shouldn't be subsequently unchecked back for that particular app instance. That is, this functionality can only be enabled once for an app instance.

    • A new ServiceNow app instance should be created and configured if you want to Disable Enumerated Lists again (the default behavior for a new ServiceNow app instance).

Additional features

Okta Identity Cloud for ServiceNow

If you are configuring the Okta Identity Cloud application for ServiceNow Express or Enterprise, see Okta Identity Cloud Deployment Guide.
Note that Okta Identity Cloud available in the ServiceNow store completely replaces the "SSO Provided by Okta" plugin inside of ServiceNow. That plugin is now deprecated, and the Okta Identity Cloud app provides all SSO and User Lifecycle functionality for ServiceNow via standard Okta integrations and the Multi-Provider SSO Plugin in ServiceNow.

Okta Orchestration Activity Pack

If you are configuring the Okta Orchestration Activity Pack, see Okta Orchestration Activity Pack Setup.

Resources

Extend and Customize Lifecycle Workflows