OpenID

The OpenID integration enables single sign-on by exchanging URL parameters with an external OpenID Provider (OP).

Note: Functionality described here requires the Integration - OpenID SSO plugin.

The OpenID integration enables single sign-on by exchanging URL parameters with an external OpenID Provider (OP). The OP authenticates the user and passes an OpenID parameter to ServiceNow containing some portion of the user's credentials (typically, the user name or email address). After verifying the identity of the OP, ServiceNow searches for a user with matching credentials, and if it finds such a user logs in the user.

The ServiceNow Open ID integration use a .openid.net/Introduction" format="html" scope="external">stateless process that requires posting back to the IdP for signature verification.

Figure 1. Openid sq
  1. User requests a resource from ServiceNow without first authenticating with the OpenID Provider (The request does not contain any OpenID URL parameters).
  2. ServiceNow redirects the request to the OP with URL parameters requesting authorization, including the post back URL to ServiceNow after the OP validates authentication.
  3. The OP challenges the user to provide credentials.
  4. The user enters his/her OpenID credentials and authenticates successfully.
  5. The OP posts the request, including the required OpenID URL parameters back to ServiceNow.
  6. ServiceNow validates the request.
    1. Verifies the "return_to" parameter matches the instance's URL.
    2. Inspects the "response_nonce" parameter and ensures that it is within the time frame allowed.
    3. Posts back to the signature verification service at the OpenID provider, ensuring that the signed parameters are valid.
  7. ServiceNow logs in the user specified by the "user_key" parameter, and responds to the user with the session cookies.