ServiceNow UD Provisioning migration guide

Learn how to migrate your existing ServiceNow integration to use Universal Directory (UD).

What's new

Support for ServiceNow Geneva version and above
User Schema Discovery support with unlimited custom attributes
Flexible user attribute mapping support
The Okta ServiceNow plugin is no longer required for provisioning

Before you begin

You need to know what settings you are using for your current ServiceNow app instance: Determine your current ServiceNow configuration

You should configure your new ServiceNow UD app instance to be as close to your current ServiceNow instance as possible: Configure a new ServiceNow UD app instance

Procedure

High level procedure for migrating your existing ServiceNow integration to use UD:

Configure a new instance as close as possible to your existing ServiceNow app instance.
Transfer your existing users to it.
Copy over any existing mappings you may have.

Detailed steps:

Determine your current ServiceNow configuration
Configure a new ServiceNow UD app instance
Migrate your Service Now app
Migrate using Group Assignment
ServiceNow UD Provisioning migration guide
Migrate users with the same email address in ServiceNow
Migration for Pushed Groups
Verify your migration

Determine your current ServiceNow configuration

In Okta, go to your ServiceNow - Eureka or any later released app instance.
Go to the Sign On tab for this app and check the following settings:
- SSO mode: Either SWA or SAML. Use the same mode for your new ServiceNow UD app.
- For SWA configured apps, check the password settings (for example, User sets username and password). Use the same settings for your new ServiceNow UD app.
- For SWA configured apps, check the Application username format. Use the same value for your new ServiceNow UD app.
Go to ProvisioningTo Apps. Make note of the features that are enabled. Enable the same features for your new ServiceNow UD app to avoid missing or overwriting user's data. Enable all provisioning features if you want to manage all user's data from Okta:
- If the Sync Password feature is not enabled for your existing ServiceNow app, it means you may allow end-users to set their passwords depending upon the setting you select under Secure Web Authentication on the Sign On tab.
  - Administrator sets username and password: In this case, you have to manually enter passwords for all migrated users. Okta recommends that you enable this feature before migration to avoid having to manually enter passwords for all migrated users.
  - User sets username and password: In this case, following migration, end users must enter valid usernames and passwords they are using for the current ServiceNow SWA app.
  - Administrator sets username, user sets password: In this case, after migration, end users must enter valid passwords they are using for the current ServiceNow SWA app.
- If the Update user attributes feature is disabled for your existing ServiceNow app, you may have some unsynchronized users, which can be missed during migration. If you have users with updated profiles in ServiceNow, for example, an updated email address, these users cannot be auto-confirmed during import. To migrate such users, they have to be manually confirmed.
- If the Deactivation feature is disabled for your existing ServiceNow app, you may run into issues during user migration to your new ServiceNow UD instance. If you have unassigned users from your existing ServiceNow app, but who are not actually deactivated on the ServiceNow side, these users would be auto-confirmed for the new ServiceNow UD app. You can manually unassign such users after migration.
Open the Profile Editor, locate your current ServiceNow app and check the current mappings. You will have to copy these to your new ServiceNow UD app. If you have custom mappings, these also need to be copied over.

Configure a new ServiceNow UD app instance

In the Admin Console, go to ApplicationsApplications.
Locate ServiceNow UD then click Add.
Enter the Base URL for your ServiceNow tenant, then click Next.
Select the same SIGN ON METHOD as your current ServiceNow - Eureka app instance, then click Done.

See Determine your current ServiceNow configuration
Select the Provisioning tab and then Configure API Integration.
Click To AppGo to Profile Editor.

Note: If you have the Location attributes in your current Service Now - Eureka app, you need to add it to the new ServiceNow UD app as follows:

Click Add Attribute, select the Location attribute, then click Save.
Click Map Attributes, then go to Okta to ServiceNow UD.
Copy and paste mappings from your current Service Now - Eureka for all duplicated attributes, then click Save Mappings.

If you have your current ServiceNow app configured with Active Directory, you need to also copy and paste mappings for all attributes to be the same as your current app.

If you have custom mappings for your current ServiceNow app such as adUser.tshirt > oktaUser.title > snowUser.title and have configured tshirt as the column name for the title attribute in ServiceNow Provisioning, you need to configure the same mapping for your new app instance as follows:

Import user attributes from ServiceNow.
Add the tshirt attribute to the user profile.
Configure mapping as follows: adUser.tshirt > oktaUser.tshirt > snowUser.tshirt.

For example, if there is a T-shirt Size attribute in the Okta profile; and the ServiceNow title attribute is not currently used by the org:

Mappings are set to user.tshirt → ServiceNow appuser.title
In the provisioning section of the ServiceNow app, tshirt is configured as the column name that title maps to.
Mappings will now look like this example:

Migrate your Service Now app

The migration steps might differ if your current ServiceNow app is configured with SWA or SAML SSO. The differences are highlighted.

Disable all provisioning features for your existing ServiceNow app.
Configure a new ServiceNow UD app instance. See Configure a new ServiceNow UD app instance.
Depending on how your current ServiceNow app integration is configured, we recommend two separate migration flows:
- Migrate using Group Assignment
  Use this method if the following criteria are met, otherwise use ServiceNow UD Provisioning migration guide:
  - All users are assigned via group level for your current ServiceNow - Eureka app instance.
  - All users in groups are sorted by the following attributes and have the same values for them: Department, Cost Center and Location (if it is added - See Configure a new ServiceNow UD app instance)
  - All users in groups have the same values for the Time zone and Company attributes on ServiceNow side. These attributes aren't supported by the old Service Now app but are supported in the new UD app.
  Note: The values of some attributes could be overwritten for all users during the migration. If this is not critical for you, proceed with the migration flow using Group assignment.
- ServiceNow UD Provisioning migration guide

Migrate using Group Assignment

Contact Okta Support to ensure your organization has the APPLICATION_ENTITLEMENT_POLICY feature flag enabled. This feature allows you to map user attributes instead of static values in group assignments (for example, user.department instead of Financial for all users in the group).

Before migration, Okta recommends you try a test migration:

Your current ServiceNow app is not configured with Active Directory and all attributes are mapped to the Okta user profile

Create a new test group in Okta.
Create a new test user in Okta and set values for attributes mapped to ServiceNow (manager, department, cost center).
Add this user to the test group.
Assign the test group to your current ServiceNow app (make sure you have provisioning features enabled) and check the user is created on the ServiceNow side with the correct attributes values.
Disable provisioning for your current ServiceNow app.
Assign the test group to your new ServiceNow UD app and map the same Active Directory attributes.
Check that the user is linked and the user's profile is updated in ServiceNow only for attributes that don't exist in the old Service Now app.

Your current ServiceNow app is configured with Active Directory:

Create a new test group in Active Directory.
Create a new test user in Active Directory and set up all attributes that are mapped from Active Directory to ServiceNow (such as manager, department, cost center).
Add the new test user to the test group.
Go to Okta and perform an import from Active Directory.
Confirm the test user exists in Okta.
Assign the test group with the test user to your old ServiceNow app.
Make sure the user is created with the correct attribute values.
Disable provisioning for your old ServiceNow app.
Assign the test group to your new ServiceNow UD app and map the same Active Directory attributes.
Verify users and their profiles.

If you run into issues during your test migration, check the settings for inconsistencies, correct them and try again. If the test migration is successful, you can start the migration process for all groups.

During migration you might encounter data loss for some users and might have to rewriting the user's profile.

After testing is complete, you can continue with migration:

Identify one or more groups in Okta which collectively include all users assigned to your current ServiceNow integration.
Make sure you have disabled provisioning features for your current ServiceNow app.
Go to your new ServiceNow UD app and assign the group.
During the assignment, set all group level attributes accordingly.

If you have blank values for some attributes for users in the group, you may set Not Selected from the dropdown list, or specify a value.

Hide or deactivate the old ServiceNow app

When your new ServiceNow UD app is set up and assigned, you can either ServiceNow UD Provisioning migration guide or ServiceNow UD Provisioning migration guide your old ServiceNow application tile from the Okta End-User Dashboard to avoid confusion.

Hide the old ServiceNow app

Open the old ServiceNow app and go to the General tab.
Click Edit.
Select Do not display application icon to users.
Click Save.

Deactivate the old Service now app

In this case, all previously imported groups for old ServiceNow app will be deleted in Okta:

Open the old ServiceNow app.
Click the Active button, then select Deactivate.
Click Save.

End-user migration flow

After you have assigned the new ServiceNow UD app (new application tile), end users must click the new application tile on their dashboard. If they are able to sign in to ServiceNow, there is no further action.

Migrate using Import and Auto-confirm

Before migration, Okta recommends you try a test migration:

In your existing ServiceNow UD app instance, go to ProvisioningTo Okta. In the User Creation & Matching section select Imported user is an exact match to Okta user if - Email matches:
Import new users in your new ServiceNow UD instance. Make sure all users are matches and can be linked to existing users.
Notes:
- If the Push Profile feature is disabled for your existing ServiceNow app, you might be missing some users after migration to the new Service Now UD app. You need to manually confirm them after migration.
- If the Deactivation feature is disabled for your existing ServiceNow app, you may find some matches for users who aren't assigned to your current ServiceNow app. You should manually unassign these users after migration.
- If you have different users in ServiceNow with the same email address, you may encounter mismatch issues. In this case, see Migrate users with the same email address in ServiceNow.
Confirm test user and check that the import is successful.

Notes:

If you encountered issues during test migration, check the settings for inconsistencies, correct them to be the same as for your current ServiceNow app, and try again. If the test migration is successful, you can start the process of migration for all users.
During migration you might encounter loss of data for some users and might have to rewrite the user's profile.

When the testing is complete, you may continue with migration:

In your ServiceNow UD app instance, go to ProvisioningTo Okta. In the User Creation & Matching section select Imported user is an exact match to Okta user if - Email matches and Auto-confirm exact matches:
Import new users in your new ServiceNow UD instance. All existing users should be auto-confirmed. All groups are imported as well for the new ServiceNow UD, so you may have duplicate groups.
The following additional actions may be required depending upon how your old ServiceNow app was configured:
- If the Push Profile feature is disabled for your old ServiceNow app and you miss some users during migration to the new ServiceNow UD app, you need to manually confirm them.
  Important: Do not create new users. Link existing users only:
  [1] Find your user → [2] Click on "arrow" → [3] Select "EXISTING Okta user I specify" and enter username for your existing user.
- If the Deactivation feature is disabled for your existing ServiceNow app and you find some confirmed users which shouldn't be, you can unassign such users after migration manually.
- For SWA configurations only: If you have configured Administrator sets username and password for your existing ServiceNow app, you need to manually enter passwords for all migrated users: Go to Assignment, select the user, click Edit then Set password.
- For SWA configurations only: If you have configured User sets username and password, your end users need to enter the valid username and password they are using for the current ServiceNow SWA app, after migration.
- For SWA configurations only: If you have configured Administrator sets username, user sets password, your end users need to enter the valid password they are using for the current ServiceNow SWA app, after migration.
When the import is complete, Okta suggests you either Hide or Deactivate the old ServiceNow app from the Okta End-User Dashboard.

Hide or deactivate the old ServiceNow app

Hide the old ServiceNow app

Open the old ServiceNow app and go to the General tab.
Click Edit.
Select Do not display application icon to users.
Click Save.

Deactivate the old Service now app

In this case, all previously imported groups for old ServiceNow app will be deleted in Okta:

Open the old ServiceNow app.
Click the Active button, then select Deactivate.
Click Save.

End-user migration flow

Migrate users with the same email address in ServiceNow

If you are migrating users with the same email address in ServiceNow, Okta recommends that you use single user assignment, as follows:

Make sure you have disabled provisioning for your current (old) Service Now app instance.
Identify the users in Okta who have the same email address in both ServiceNow and Okta.
Check that all attribute values are the same for both Okta and ServiceNow users to avoid overwriting values.
Assign these users to the new ServiceNow UD app instance.
Check users in ServiceNow; the user profile should be updated only for the new attributes.

Migration for Pushed Groups

Go to your old ServiceNow - Eureka or any later released app instance, unlink and delete the pushed group.
Go to your new ServiceNow UD app instance and push this group.

Note: You receive an error if you attempt to push the same group from you new ServiceNow app, without first deleting it from your old ServiceNow app:

Verify your migration

Check System Logs about importing users.
Verify that the number of imported users matches the number of existing users for your existing ServiceNow app instance.
Sign in via the application tile for the new ServiceNow UD app and check the user's permissions.
Check the Dashboard for errors.