Integrate Skyhigh CASB for ServiceNow with PingFederate SSO
Use the following procedure to integrate Skyhigh CASB for Service now with PingFederate SSO.
ServiceNow doesn't need a SAML proxy enabled because the ACS URL can be edited. (However, you still need to add shnsaml to the URL to extract the username.) The changes needed to be made in the IdP and ServiceNow are described here.
Configure PingFederate SSO IdP
In PingFederate, change the ACS URL to https://www<managed service name>.<primary domain>.<shnpoc/myshn>.net/navpage.do?shnsaml.
For example: https://www.snow.acme.myshn.net/navpage.do?shnsaml
Enable Multi-Provider SSO in ServiceNow
- In ServiceNow, go to SAML settings change the Homepage URL to
https://www<managed service name>.<primary domain>.<shnpoc/myshn>.net/navpage.do?shnsaml.
For example, https://www.snow.acme.myshn.net/navpage.do?shnsaml. - SP-initiated from outside the proxy will not work by default because the request id is saved into a cookie. You need to edit the script to allow this. In the SAML2_update1 script, search for inResponseTo, and modify this line:
if (inResponseTo && !(this.inResponseTo.equals(inResponseTo) ||
to:
if (inResponseTo && this.inResponseTo && !(this.inResponseTo.equals(inResponseTo) ||
For Apache Jakarta and Later
Apache Jakarta and later have a mandatory connection check before saving the SSO configuration, which fails with proxy URLs.
You can disable the "Test connection" feature by following these steps. For example, if your instance name is https://dev19391.service-now.com.
- Go to https://dev19391.service-now.com/sys_properties.do and create a new record with the name glide.authenticate.multisso.test.connection.mandatory. Enter as true|false, with the value as false, and provide a relevant description.
- Go to https://dev19391.service-now.com/sys...erties_list.do and search for "glide.authenticate.multisso.test.connection.mandatory". You should see the record.
- Go to the Multi-SSO plugin, update it with your IdP and proxy details, and click Activate. It should go through the update without the "Test connection" feature.
- Once SSO is configured and verified, update the "glide.authenticate.multisso.test.connection.mandatory" value to true by going to https://dev19391.service-now.com/sys...erties_list.do. After this, for any update, it will ask for the "Test Connection".
Deep Linking
For Deep linking to work you must update the ServiceNow SAML script to always redirect to the proxy when it receives a SAML request.
-
In the ServiceNow SAML script, set this property:
glide.authenticate.auth.validate.url = false
- In the MultiSSO_SAML2_Update1 script, change this:
if(!samlResponseObject && !relayState) { var redirectURL = this.SAML2.generateAuthnRequestRedirectURL(request, false);
to:
if(!samlResponseObject && !relayState) { var qs = request.getQueryString(); var keyword = "shn-direct"; if (!qs || qs.indexOf(keyword) === -1) { this.redirectURL = 'https://www<Skyhigh ServiceNow Managed URL>' + request.getRequestURI(); if (qs && qs.length() > 0) { this.redirectURL += '?' + qs + '&' + keyword; } else { this.redirectURL += '?' + keyword; } return this.redirectURL; } var redirectURL = this.SAML2.generateAuthnRequestRedirectURL(request, false);
Troubleshooting
For PingFederate, the SP-initiated flow may not work because the SAML request is validated during the SAML response time. To fix this, you can change the IdP Login URL on the SP side.
Instead of setting the URL to be https://idp.com:9031/idp/SSO.saml2, it should be:
[a page through your proxy – i.e. wwwcrm.bell.devshn.net (and not just crm.bell.devshn.net)]?shnsaml-request=https%3A%2F%2Fidp.com%3A9031%2Fidp%2FSSO.saml2
For example, https://wwwcrm.bell.devshn.net?shnsa...dp%2FSSO.saml2