Implementing ServiceNow SSO on Android

Is your enterprise on the hunt for streamlined operations? Implementing ServiceNow SSO (Single Sign-On) on Android devices using Hypergate Authenticator could be the game-changer you need.

This guide specifically focuses on how to enable SSO for ServiceNow using Hypergate Authenticator on Android devices. We’re primarily leveraging SAML protocol for integration, a popular standard for SSO. This is, however, with an AD FS (Active Directory Federation Services) infrastructure in mind as the identity provider (idP). If your infrastructure utilizes idPs like Okta or PingFederate, don’t worry; these can be just as compatible. Furthermore, you can also use OAuth, OpenID Connect, or WS-Fed, depending on what your idP and service support.

Overview of ServiceNow SSO on Android

ServiceNow, with over 6,200 customers, is a leading light in the digital workflow sector. Its Android app, when integrated with SSO using Hypergate Authenticator, significantly enhances user experience.

Prerequisites for Implementing ServiceNow SSO

• Hypergate Authenticator for iOS or Android
• Microsoft AD with AD FS configured

The Goal of ServiceNow SSO Integration on Android

The goal is to have the best possible user experience on the mobile. At the end of this guide, your user will be able to use the application without the need to enter any credentials. The following video shows you what the user experience looks like on a newly enrolled mobile device (the app has never been opened before):

Step-by-Step Configuration of ServiceNow SSO on Android

Firstly, activate the Multi-Provider SSO Plugin on ServiceNow:

1. In the navigation search field, search for “Plugins“
2. Open System Definition – Plugins
3. Search for “Multiple Provider Single Sign-On“
4. Click on Install

After successfully installing the “Multi-Provider SSO plugin“, we need to create a new Identity provider. This can be done by:

1. Opening Multi-Provider SSO – Identiti Providers
2. Click on New
3. The following dialog should show up:
   

   

4. Enter the FederationMetadata URL of your ADFS, this should look like the following URL: https://your-adfs-domain.com/FederationMetadata/2007-06/FederationMetadata.xml
5. Click in Import

The following parameters need to be adjusted in the tab Encryption and Signing:

1. Set the Signing/Encryption Key Alias to saml2sp
2. Set the Signing/Encryption Key Password to saml2sp
3. Check Sign Logout Request

The following parameters need to be adjusted in the tab Advanced:

1. Set the AuthnContextClassRef Method to urn:federation:authentication:windows
2. Set the Single Sign-On Script to MultiSSOv2_SAML2_custom

After configuring the Identity Provider correctly, click on the Generate Metadata button and save the resulting configuration in a XML file called servicenow-metadata.xml. We will need it later when configuring AD FS.

Diving into ADFS Configuration

On the AD FS side we need to add a new Relying Party Trust. Just follow these steps:

1. Open the Server Manager
2. Click on Tools and open the AD FS Management
3. In the Management Console right click on Relying Party Trusts and select Add Relying Party Trust…
4. The Wizard should start, select Claim aware and click on Start
5. Select Import data about the relying part from a file and select the previously saved servicenow-metadata.xml and click on Next
6. Fill in a display name
7. Leave the Access Control Policy with Permit everyone
8. Confirm the configuration by clicking Next and finish the Wizard

Concluding ADFS Configuration Steps

To conclude the ADFS configuration:

1. Right click on the newly created Relaying Party Trust
2. Select Edit Claim Issuance Policy…
3. Click on Add a Rule…
4. Select Send LDAP Attributes as a Claim as template
5. Enter the following details:
   1. Set the Claim rule Name to Get LDAP Claims
   2. Set the Attribute Store to Active Directory
   3. Add a new row to the Mapping and set User-Principal-Name to Name ID
      
      
6. Confirm the configuration with OK and Add antoher Rule
7. This time select Transform an incoming Claim as template
8. Enter the following details:
   1. Set the Claim rule Name to Email to Name ID
   2. Set the Incoming claim type to UPN
   3. Set the Outgoing claim type to Name ID
   4. Set the Outgoing name ID format to Unspecified
   5. Select Pass through all claim values

The AD FS configuration is now done. We can now mark the Identity Provider in sevice now as Active and set it to Default.

Final Phase: Mobile Configuration for ServiceNow SSO

The only thing remaining is to preconfigure the Service-Now app for our Tenant. This can be done with a managed confguration: