ServiceNow (OIDC)
Last reviewed: 5 months ago
This guide covers how to configure ServiceNow ↗ as an OIDC application in Cloudflare Zero Trust.
Prerequisites
- An identity provider configured in Cloudflare Zero Trust
- Admin access to a ServiceNow account
1. Add a SaaS application to Cloudflare Zero Trust
- In Zero Trust ↗, go to Access > Applications.
- Select SaaS.
- For Application, enter
ServiceNow
and select the corresponding textbox that appears. - For the authentication protocol, select OIDC.
- Select Add application.
- In Scopes, select the attributes that you want Access to send in the ID token.
- In Redirect URLs, enter
https://<INSTANCE-NAME>.service-now.com/navpage.do
. - (Optional) Enable Proof of Key Exchange (PKCE) ↗ if the protocol is supported by your IdP. PKCE will be performed on all login attempts.
- Copy the Client secret and Client ID.
- Select Save configuration.
- (Optional) configure App Launcher settings by turning on Enable App in App Launcher and, in App Launcher URL, entering
https://<INSTANCE-NAME>.service-now.com
. - Configure Access policies for the application.
- Select Done.
2. Add the Multiple Provider Single Sign-On Installer Plugin to ServiceNow
- In ServiceNow, select All.
- In the search bar, enter
System Applications
, and under All Available Applications, select All. - In the search bar, enter
Integration - Multiple Provider Single Sign-On Installer
. - Select Install.
- Ensure that Install now is selected, and select Install.
3. Add and Test an OIDC SSO provider in ServiceNow
- Select All.
- In the search bar enter
Multi-Provider SSO
, and select Identity Providers. - Select New > OpenID Connect.
- In the pop-up, fill in the following fields:
- Name: Name of the SSO (for example,
Cloudflare Access
). Unless otherwise configured, users will select this name when signing in to ServiceNow. - Client ID: Client ID from application configuration in Cloudflare Zero Trust.
- Client Secret: Client Secret from application configuration in Cloudflare Zero Trust.
- Well Known Configuration URL:
https://<TEAM-DOMAIN>.cloudflareaccess.com/cdn-cgi/access/sso/oidc/<CLIENT-ID>/.well-known/openid-configuration
.
- Name: Name of the SSO (for example,
- Select Import.
- Ensure Active is turned on
- Turn on Show as Login option, and for SSO label enter a label for the user login screen, if desired.
- Select Update.
4. Test the integration
For SSO to appear on the login screen, you must have account recovery ↗ enabled and configured for at least one admin account. After account recovery is configured, log out of ServiceNow and open an incognito browser window. Go to your ServiceNow URL. Select the SSO name you just configured, which will prompt you to sign in with your identity provider. When the integration is successful, you can go back to the OIDC configuration screen to turn on Default and/or Auto Redirect IDP.