WS-Security

Validate signed web services requests with WS-security.

ServiceNow supports WS-Security 1.1 to validate signed web services requests. Enable WS-Security to:
  • Verify SOAP messages originate from a known sender
  • Verify SOAP messages have not been altered in transit
Note: ServiceNow does not use WS-Security as an encryption mechanism. ServiceNow relies on the HTTPS protocol to encrypt all communications.

WS-Security is intended to work in conjunction with basic authentication. When ServiceNow receives a SOAP message, it reviews the basic authentication header to determine if the SOAP user has rights to the instance. It reviews the WS-Security header to determine the validity of the incoming message. Requests affected by attacks such as a man-in-the-middle attack have an invalid WS-Security header and are blocked.