ServiceNow

This guide provides information on how to configure provisioning for ServiceNow in your Okta org.

Before you start

  • It's assumed that you have already added a ServiceNow app instance in Okta and have configured SSO. See How to Configure SAML 2.0 for ServiceNow. For general information about adding applications, see Add existing app integrations.
  • Okta requirements:

    1. Make sure you have configured your complete Base URL under the General tab in Okta.

    2. Configure your Sign-On options on the next tab.

    3. Click Next to return to the Provisioning tab.

Provisioning features

The following features are supported for provisioning events:

Push new users New users created through Okta are also created in the third-party application.
Push user deactivation Deactivating the user or disabling the user's access to the application through Okta also deactivates the user in the third-party application.
Push profile updates Updates made to the user's profile through Okta are applied to the third-party application profiles.
Import new users New users created in the third-party application are imported and turned into new AppUser objects, for matching against existing Okta users.
Import profile updates Updates made to a user's profile in the third-party application are downloaded and applied to the profile fields stored locally in Okta. If the app is the system of record, changes made to core profile fields (email, first name, family name, and so on) are applied to the Okta user profile. If the app isn't the system of record for the user, only changes made to app-specific fields are applied to the local user profile.
Group Push Groups and their members can be pushed to remote systems. You can find more information about using group push operations (including Group Push enhancements) here: Manage Group Push.
Reactivate Users Reactivating the user through Okta reactivates the user in the third-party application.
Sync Password Pushes user password from Okta to the third-party application.

Procedures

Configure ServiceNow provisioning

  1. Check the Enable API Integration box.

  2. Enter your ServiceNow API credentials:

    • Admin User Name: Enter a ServiceNow username with administrator permissions for your organization.

    • Admin Password: Enter a password for your administrator account.

    • Validate the credentials by clicking Test API Credentials.

  3. Click Save.

  4. Select To App in the left panel, then select the Provisioning Features you want to enable.

  5. You can now assign people to the app (if needed) and finish the application setup.

Add user profile attributes with ServiceNow Schema Discovery

ServiceNow supports User's Schema Discovery, so you can add extra attributes to the user's profile.

  1. In the Okta Admin Console, go to DirectoryProfile Editor.

  2. Select the APPS section in the left navigation pane, then find your app in the list. Click the Profile edit icon to open the Profile Editor page.

  3. Check the list of attributes, and if you decide you need more, click Add Attribute. A list of extended attributes appears.

  4. Select the attributes that you want to add, then click Save.

  5. The added attributes should be present after refreshing the page in the list of Custom Attributes. You can now import and push these user attribute values to or from ServiceNow.

  6. You can now create mappings for your custom attributes.

Profile mappings

Default attributes

You can check your default attributes in the DirectoryProfile EditorAPPS section in the left navigation pane, then find your app in the list.

Active Directory mapping

There are predefined Active Directory (AD) mappings for certain fields that aren't modifiable and used only in cases where AD is configured as the source.

Manager/Assistant functions

Here are some examples. For more details, see Directory and Workday functions, and Popular Expressions in Okta developer documentation.

Function

Description

Example

getManagerUser(managerSource).$attribute

Gets the manager's Okta user attribute values

getManagerUser("active_directory").firstName

getManagerAppUser(managerSource, attributeSource).$attribute

Gets the manager's app user attribute values for the app user of any appinstance

getManagerAppUser("active_directory", "google").firstName

getAssistantUser(assistantSource).$attribute

Gets the assistant's Okta user attribute values

getAssistantUser("active_directory").firstName

getAssistantAppUser(assistantSource, attributeSource).$attribute

Gets the assistant's app user attribute values for the app user of any appinstance.

getAssistantAppUser("active_directory", "google").firstName

Pass the correct app name for the managerSource, assistantSource, and attributeSource parameters.

Currently, only active_directory is supported for managerSource and assistantSource.

Function Description

hasDirectoryUser()

Checks whether the user has an Active Directory assignment and returns a boolean.

findDirectoryUser()

Finds the Active Directory App user object and returns that object, or null if the user has more than one or no Active Directory assignments.

Custom mapping

If you have custom mapping for your existent ServiceNow app, you can map the custom attribute from Okta profile to a field that is hard-coded in the ServiceNow connector and not used by the org. You can then assign that field to the appropriate column name in ServiceNow. Make this mapping manually for the new ServiceNow app (as described in Schema Discovery).

For example, let's say there's a T-shirt Size attribute in the Okta profile. And the title attribute isn't used by the org today:

  1. The customer maps the user.tshirt to ServiceNow appuser.title:

    servicenow_new_13

  2. In the Provisioning section of the ServiceNow app, the user then enters tshirt as the column name that title maps to.

    servicenow_new_14

  3. Now (after adding attributes as described in Schema Discovery), it should look like this:

    servicenow_new_15

Limitations

  1. If the ServiceNow app contains two users with different user IDs and the same email (for example email=test_email@test.com), you receive an error:

    servicenow_new_16

    servicenow_new_17

  2. In ServiceNow UD.1.0.4 version, the Time Zone user property was moved to the user group level. When the ServiceNow UD app is assigned to a user group, the admin can select the time zone for all users in this group. Also, the value now is populated from the dropdown list instead of the regular text field as before.

    This change is applied for all applications created with the new connector version. For existing connectors there are two options:

    • Ask support to migrate the UD schema for this app to an updated version. Note that all imported custom user attributes will be dropped and you should readd them and reimport users to fetch attributes data from ServiceNow.

    • Continue using the connector without an update.

    To determine if you have the Time Zone attribute on the group level, try to assign the ServiceNow application to a user group:

    No Time Zone (old version):

    servicenow_new_18

    With Time Zone (new version):

    servicenow_new_19

  3. If a ServiceNow app instance has users assigned to a new cost center, company, or department that haven't been imported into Okta previously, you must refresh application data before importing users. Otherwise, the import fails with the An error occurred during import message.

    To refresh application data, select the Applications tab, select More, then click Refresh Application Data. Application data is updated in the background in several minutes.

  4. Disabling enumerated lists

    • If Disable Enumerated Lists is checked, it shouldn't be later cleared for that app instance. That is, this functionality can only be enabled once for an app instance.

    • A new ServiceNow app instance should be created and configured if you want to Disable Enumerated Lists again (the default behavior for a new ServiceNow app instance).

Other features

The following features are also available to use with ServiceNow.

Okta Identity Cloud for ServiceNow

If you're configuring the Okta Identity Cloud application for ServiceNow express or Enterprise, see Okta Identity Cloud Deployment Guide.
Note that Okta Identity Cloud available in the ServiceNow store completely replaces the "SSO Provided by Okta" plugin inside of ServiceNow. That plugin is now deprecated, and the Okta Identity Cloud app provides all SSO and User Lifecycle functionality for ServiceNow via standard Okta integrations and the Multi-Provider SSO Plugin in ServiceNow.

Okta Orchestration Activity Pack

If you're configuring the Okta Orchestration Activity Pack, see Okta Orchestration Activity Pack Setup.

Resources

Extend and Customize Lifecycle Workflows