Modern authentication

Below, given are the steps to be followed to configure your ServiceNow instance for Modern Authentication:

  1. Get the 1E Core application

  2. Prerequisite

  3. Configure Microsoft Entra ID/Okta and 1E

  4. Preparing the certificates for ServiceNow

  5. ServiceNow OAuth steps

    • Upload PEM and JKS certificates

    • Configure a JWT signing key

    • Create a JWT provider

For more information on how to configure, refer to 1E Platform provisioning and upgrading guide.

Get the application

To get the latest version of the 1E Core application installed, you can consider either of the below choices:

  1. If you are a new customer, you can get the 1E Core application from ServiceNow app store. To install the application, refer App Installation.

  2. However, if you already have and older version of 1E ITSM Connect application on your ServiceNow instance, then refer Upgrading 1E Core to upgrade your application.

Prerequisite

The following information is required for the preparation of certificates:

  1. .pfx certificate (containing a private key, client authentication and 2048 key)

    • This .pfx certificate is given either by your internal PKI team, sometimes by a third party, or you can generate a self-signed certificate by yourself.

    • To create your own self-signed certificate, use the New-SelfSignedCertificate PowerShell cmdlet. This would create a certificate in the local machine personal certificate store on the device you have run the cmdlet. You can then export this certificate as a .pfx file, which includes the private key, using the CERTLM.MSC utility.

  1. The non-interactive client assertion Application ID from Microsoft Entra ID, as shown in the picture below.

You need the following tools:

  1. OpenSSL

  2. KeyTool

  3. 1E PowerShell toolkit (available on 1E Support Portal)

Configure Microsoft Entra ID and 1E

Create certificate/principal mapping in 1E

  1. Install the certificate with private key locally to the local machine personal certificate store. Ensure that you have the required permissions to access the private key.

  2. Login to your 1E instance using Set-1E Server as shown below.

  1. Get the certificate kid using:

    Get-1ECertificateThumbprint -StoreName localmachine\my | fl *

    The kid value of a certificate is a base 64 encoding of the certificate thumbprint.

  2. Get the AppID of the Microsoft Entra ID:

  1. Now make a note of the AppID and then create a mapping using:

    Add-1EJwtPrincipalMapping -Identifier <Certificate AppID> -Principal <1EUser@domain.com>

    Note that the above proxy user should be a principal with appropriate permissions in 1E.

Upload the public key PEM file in Microsoft Entra ID

  1. Export the certificate that you have imported in the above steps in .CER format.

  2. Login with the administrator principal role.

  3. Navigate to Azure Active Directory → App Registrations → 1E Client Assertion → Certificates and upload the certificate.

Preparing the certificates for ServiceNow

Follow the below given steps to prepare the certificates:

  1. The .pfx certificate has to be converted into .PEM and .JKS file types.

  2. To convert the .pfx certificate, you need to first install OpenSSL and keytool applications on your machine.

  3. After installing the applications, copy the .pfx certificate in the same directory where these applications reside.

  4. Copy the entire content of the bin folder of OpenSSL into the bin folder of Java.

  5. Now open the PowerShell/CMD where the .pfx certificate resides and run the following commands:

    • To generate the .PEM file:

    • Copy 
      openssl pkcs12 -in <filename>.pfx -out <filename>.pem

    • To generate the .JKS file:

    • Copy 
      openssl pkcs12 -export -in <filename>.pem -out <filename>.p12 -name MyCert
      keytool -importkeystore -srckeystore <filename>.p12 -destkeystore <filename>.jks -srcstoretype pkcs12 -deststoretype JKS

  1. Take a note of the JKS keystore password for future use.

  2. Upload both PEM and JKS certificates into certificates table (sys_certificate) in ServiceNow.

 

ServiceNow OAuth steps

Now on your ServiceNow instance, configure the following OAuth steps:

  1. Upload PEM and JKS certificates

  2. Configure a JWT signing key

  3. Configure a JWT provider

Upload PEM and JKS certificates

To upload the certificates, navigate to System DefinitionCertificates and create a new record as shown in the picture below.

To upload the PEM certificate in your ServiceNow instance-

  1. Provide the required details and attach the PEM certificate so that the identity provider can verify communications with the service provider.

  2. Select Type as Trust Store Cert.

  3. Copy the content of the PEM file and paste it into the PEM certificate field.

  4. Now click on the Submit button to save the record.

  5. Click on Validate Stores/Certificates link to validate the certificate.

  6. Take a note of the SysID of the PEM certificate for future use.

To upload the JKS certificate in your ServiceNow instance-

  1. Provide the required details.

  2. Select Type as Java Key Store.

  3. Attach the JKS certificate generated in the above step to enable the JWT client authentication.

  4. Enter the Key store password.

  5. Now click on the Submit button to save the record.

  6. Click on Validate Stores/Certificates link to validate the certificate.

You can see that the certificates are now added to the Certificates table.

Configure a JWT signing key

To configure JWT signing key on your ServiceNow instance, follow the below steps:

  1. Navigate to System OAuthJWT Keys.

  2. Create a new record for JWT Keys.

  3. Provide a descriptive Name.

  4. Select the JKS certificate uploaded earlier using the lookup list into the Signing Keystore field.

  5. Enter the Keystore password saved earlier into the Signing Key field and click on Submit to save the record.

Create a JWT provider

To configure JWT provider on your ServiceNow instance, follow the below steps:

  1. Navigate to System OAuthJWT Providers.

  2. Create a new record for JWT Providers and fill in the claim values as shown in the picture above.

  3. Ensure that you have the required permissions.

  4. Provide a descriptive Name.

  5. Select the JWT Key created earlier using the lookup list into the Signing Configuration field.

  1. Copy the SysID of the JWT Provider's record for future use. This SysID is passed to retrieve JWT Token.

For more information on how to configure, refer to 1E Platform provisioning and upgrading guide.

Get the 1E Core application

To get the latest version of the 1E Core application installed, you can consider either of the below choices:

  1. If you are a new customer, you can get the 1E Core application from ServiceNow app store. To install the application, refer App Installation.

  2. However, if you already have and older version of 1E ITSM Connect application on your ServiceNow instance, then refer Upgrading 1E Core to upgrade your application.

Prerequisite

The following information is required for the preparation of certificates:

  1. .pfx certificate containing a private key

  2. The Client ID from Okta, as shown in the picture below.

You need the following tools:

  1. OpenSSL

  2. KeyTool

  3. 1E PowerShell toolkit (available on 1E Support Portal)

Configure Okta and 1E

Create certificate/principal mapping in 1E

  1. Install the certificate with private key locally to the local machine personal certificate store. Ensure that you have the required permissions to access the private key.

  2. Navigate to 1E PowerShell toolkit and import it to the PowerShell window using:

    PS c:\Users\administrator\Downloads\1.2.3> Import-Module .\ps1etoolkit.psd1 - force

  1. Login to your 1E instance using Set-1E Server as

    PS C:\Users\administrator\Download\1.2.3> Set-1EServer Platformtest.appteam.cloud.1e.com

    You would be redirected to Okta login page and enter your credentials.

  1. Get the certificate kid using:

    Get-1ECertificateThumbprint-StoreName localmachine\my|fl*.

  2. You can find the AppID from the Okta portal as shown below:

  1. Now make a note of the AppID and then create a mapping using:

    Add-1EJwtPrincipalMapping-Identifier <Certificate AppID> -Principal <1EUser@domain.com>

    Note that the above proxy user should be a principal with appropriate permissions in 1E.

Upload the public key PEM file in Okta

  1. Export the certificate that you have imported in the above steps in .CER format.

  2. Login with the administrator principal and upload the certificate in your Okta instance.

Preparing the certificates for ServiceNow

Follow the below given steps to prepare the certificates:

  1. The .pfx certificate has to be converted into .PEM and .JKS file types.

  2. To convert the .pfx certificate, you need to first install OpenSSL and keytool applications on your machine.

  3. After installing the applications, copy the .pfx certificate in the same directory where these applications reside.

  4. Copy the entire content of the bin folder of OpenSSL into the bin folder of Java.

  5. Now open the PowerShell/CMD where the .pfx certificate resides and run the following commands:

    • To generate the .PEM file:

      openssl pkcs12 -in <filename>.pfx -out <filename>.pem

    • To generate the .JKS file:

      openssl pkcs12 -export -in <filename>.pem -out <filename>.p12 -name MyCert

      keytool -importkeystore -srckeystore <filename>.p12 -destkeystore <filename>.jks -srcstoretype pkcs12 -deststoretype JKS

  1. Take a note of the JKS keystore password for future use.

  2. Upload both PEM and JKS certificates into certificates table (sys_certificate) in ServiceNow.

ServiceNow OAuth steps

Now on your ServiceNow instance, configure the following OAuth steps:

  1. Upload PEM and JKS certificates

  2. Configure a JWT signing key

  3. Configure a JWT provider

Upload PEM and JKS certificates

To upload the certificates, navigate to System DefinitionCertificates and create a new record as shown in the picture below.

To upload the PEM certificate in your ServiceNow instance-

  1. Provide the required details and attach the PEM certificate so that the identity provider can verify communications with the service provider.

  2. Select Type as Trust Store Cert.

  3. Copy the content of the PEM file and paste it into the PEM certificate field.

  4. Now click on the Submit button to save the record.

  5. Click on Validate Stores/Certificates link to validate the certificate.

  6. Take a note of the SysID of the PEM certificate for future use.

To upload the JKS certificate in your ServiceNow instance-

  1. Provide the required details.

  2. Select Type as Java Key Store.

  3. Attach the JKS certificate generated in the above step to enable the JWT client authentication.

  4. Enter the Key store password.

  5. Now click on the Submit button to save the record.

  6. Click on Validate Stores/Certificates link to validate the certificate.

You can see that the certificates are now added to the Certificates table.

Configure a JWT signing key

To configure JWT signing key on your ServiceNow instance, follow the below steps:

  1. Navigate to System OAuthJWT Keys.

  2. Create a new record for JWT Keys.

  3. Provide a descriptive Name.

  4. Select the JKS certificate uploaded earlier using the lookup list into the Signing Keystore field.

  5. Enter the Keystore password saved earlier into the Signing Key field and click on Submit to save the record.

Create a JWT provider

To configure JWT provider on your ServiceNow instance, follow the below steps:

  1. Navigate to System OAuthJWT Providers.

  2. Create a new record for JWT Providers and fill in the claim values as shown in the picture above.

  3. Ensure that you have the required permissions.

  4. Provide a descriptive Name.

  5. Select the JWT Key created earlier using the lookup list into the Signing Configuration field.

  1. Copy the SysID of the JWT Provider's record for future use. This SysID is passed to retrieve JWT Token.

Flow of access token in Modern Authentication

ServiceNow supports client assertion grant flow. This requires presenting the JWT (JSON Web Token) to the authentication endpoint, retrieve back the token, and provide this token along with outgoing API calls. This token has a limited lifespan and requires renewal. The below diagram guides you about how to access the token flows when modern authentication is enabled in 1E Core.

  1. The 1E ServiceNow application initiates a request to retrieve the access token from 1E Core.

  2. If the token is either invalid or absent, then a new request is sent to the IdP (Microsoft Entra ID or Okta) to issue a new token. Otherwise, an API call including the access token is made to the 1E database.

  3. The new access token is provided by the IdP to 1E Core.

  4. This token is now passed onto the requested 1E ServiceNow application.

  5. The token is stored in the application for future API calls.

  6. The application raises a request along with the token to 1E Core.

  7. 1E Core makes an API call to the 1E database along with this token.

  8. 1E provides access to the protected resource in 1E Core.

  9. 1E Core processes the response received from 1E and passes onto the application.

  10. The response is stored in the 1E ServiceNow application tables.