In this how to I will setup Single Sign-On (SSO) using Microsoft Azure AD without the use of a ServiceNow MID server. This article was done on the ServiceNow Jakarta release. If you are on a different release some of the screens may look different.

1. Azure setup

Before you continue make sure that you have the "Global Administrator" role as this is required.

1.1 Go to portal.azure.com and login with your credentials.

1.2 Click on Azure Active Directory in the menu to your left.

1.3 Click on "Enterprise applications" in the menu.

1.4 Click on "New application" at the top of the page.

1.5 Select "IT infrastructure" in the filter to the left.

1.6 Locate ServiceNow by searching for it and click the ServiceNow icon to create the Application.

1.7 Under "Quick start" click "Configure single sign-on (Required)"

1.8 Select "SAML-based Sign-on" and enter your instance URL in the "Sign on URL" and the "Identifier". Click on "Save".

1.9 In case the new certificate is in status "New" click the "Make new certificate active" checkbox and then click Save. If your certificate is already in status "Active" you can skip this step.

1.10 Scroll down a but and click the "Certificate (Base64)" link to download the certificate.

1.11 Scroll further down and click "Configure ServiceNow"

1.12 Check the checkbox "Manually configure single sign-on

1.13 Scroll down and locate the "Quick Reference". Copy the "Azure AD Single Sign-On Service URL", the "Azure AD Sign Out URL", and the "Azure AD SAML Entity ID". We will need this information later.

1.14 Go back to the "Quick start" and click on "Assign a user for testing (required)". Pick a user that you wish to test with and add it to the list. You can pick yourself if you like.

2. ServiceNow setup

To set things up in ServiceNow you need to have the role "admin".

2.1 Go to you serviceNow backend and login.

2.2 Click the "Plugins" link under "System Definition".

2.3 Find the "Integration - Multiple Provider Single Sign-On Installer and install it if it is not already installed.

2.4 Go to "Multi-Provider SSO -> Administration -> x509 Certificates"

2.5 Click the "New" icon at the top of the page.

2.6 Fill out the "Name" with something that makes sense to you. The field Format should be "PEM" and the Type "Trust Store Cert". In the "PEM certificate" paste the certificate that your downloaded from Azure earlier. You can do this by opening the file in a texteditor like notepad and copy the content out. Click "Submit" and the certificate is now stored in ServiceNow.

2.7 Click on "Multi-Provider SSO -> Identity Providers"

2.8 Click on the "New" button at the top.

2.9 Pick "SAML"

2.10 Click cancel on the dialogue box that appears.

2.11 Give your Identity Provider a name in the "Name" field. Make sure to check the "Default" check box. Fill out the fields with the following information:

Identity Provider URL: https://sts.windows.net/"unique id"/ - We copied this link in step 1.12

Identity Provider's AuthnRequest: https://login.microsoftonline.com/"unique id"/saml2 - We copied this link in step 1.12

Identity Provider's SingleLogoutRequest: https://login.microsoftonline.com/common/wsfederation?wa=wsignout1.0

ServiceNow Homepage: your instance (eg. https://yourcompany.serivce-now.com)

Entity ID / Issuer: your instance (eg. https://yourcompany.serivce-now.com)

Audience URI: your instance (eg. https://yourcompany.serivce-now.com)

NameID Policy: urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified

Click "Submit" to save the Identity Provider record.

2.12 Click the newly created record.

2.13 Right click at the top bar and click "Copy sys_id". Paste this ID somewhere as you may need it later.

2.14 Click the "Advanced tab" and enter the following values:

User Field: user_name

AuthnContextClassRef Method: http://schemas.microsoft.com/ws/2008/06/identity/authenticationmethod/password

Single Sign-On Script: MultiSSO_SAML2_Update1

Clock Skew: 60

Protocol Binding for the IDP's SingleLogoutRequest: urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect

2.15 Right click the grey bar at the top and select "Save".

2.16 Scroll to the bottom and located the related list "X.509 Certificates" and click the "Edit..." button.

2.17 In the slush bucket that appears select the certificate that you created in step 2.6 and move it to the right. Then click "Save".

2.18 Click the "Test Connection" button at the top of the page to test that everything is working. For the test connection you may want to ensure that you are in a private / incognito browser window.

2.19 Examine the test result and click "Activate". Notice that I was using myself as a test person and therefor the test skipped the logout test.

2.20 Go to "Multi-Provider SSO -> Administration -> Properties"

2.21 Mark the checkboxes "Enable multiple provider SSO" and "Enable Autoimporting of users from all intensity providers into the user table" to yes. The later is optional though as you can also create the users manually if you prefer. Click "save"

3. Automatic redirect

If your instance does not automatically redirect to SSO you may need to manually add or modify the "glide.authenticate.sso.redirect.idp" system property.

3.1 Enter "sys_properties.list" in the main menu to the left and hit "enter".

3.2 Search for "glide.authenticate.sso.redirect.idp". If it does not exists create a new one, by clicking the new icon. Otherwise open the record.

3.3 Paste in the sys_id of your Identity Provider record, that we copied earlier in step 2.13.

Remember to make the property "Private" to ensure that it is not copied between instances as the sys_id of the IdP record will be different from system to system.

4. Deploy SSO to all users (Azure)

Once you have confirmed that everything works as expected you need to Deploy single sign-on to all the users that needs to access ServiceNow

4.1 Go back to your Azure portal and the "Quick start" guide of the enterprise application that you created in step 1.6. Click the link "Deploy single sign-on to users and groups (recommended).

How you want to add users depends on how you are organizing your directory in Azure AD.

I hope that you find this how to useful. Let me know if you have any improvement suggestions or comments. Please endorse if this works for you or like if you want to see more like this.