Create a new WS-Security profile
- UpdatedJan 30, 2025
- 3 minutes to read
- Yokohama
- API implementation
Create a new WS Security profile to define how to authenticate a web services message when WS-Security is enabled.
Before you begin
Role required: web_service_admin or admin
Procedure
- Navigate to All > System Web Services > WS Security Profiles.
- Click New.
-
Fill in the WS-Security Profile form (see table).
Table 1. WS-Security Profile form fields Field Description Name Enter a unique name for the security profile. Type Select X509 to verify the request's certificate. Select Username to verify the request's user credentials. Run as user Select the ServiceNow user the instance will impersonate if authentication succeeds and the Bind Session field is selected. All web services requests will be attributed to this user. For example, if you select the System Administrator user then the instance treats all web services operations as being done by the system administrator. Make sure the user you select has appropriate SOAP privileges if you are using the glide.soap.strict_security
high security setting. This field is only visible when the type is X509.Order Enter the order in which the instance checks security profiles. The instance checks all security profiles when processing an incoming SOAP request. If a request fails any security profile authentication requirement, the instance stops processing additional security profiles and fails the request. Bind Session Select this check box to have the instance impersonate the user listed in the Run as user field. You should only set this field for one profile at a time. If multiple profiles have this field selected, ServiceNow impersonates the user from the last successfully authenticated WS-Security profile. If no profile has this field selected, ServiceNow impersonates the user provided with the basic authentication headers or impersonates the default user (Guest). X509 Certificate Select the certificate record containing the certificate for web service requests. ServiceNow only validates the request signature. It automatically trusts the certificate's certificate authority (CA). This field is only visible when the type is X509. Profile action Select how you want the instance to authenticate the user credentials. Select Authenticate with user if you want the instance to authenticate the request based on an existing user record. The request's credentials must match values in an existing user record. Select Specify user to authenticate if you want to list a user name and password combination that all web services requests must meet. The request's credentials must match the user name and password you list. This field is only visible when the type is Username. User field to match UserName Select the column from the User [sys_user] table containing the value you want match against the request's UserName. For example, if you select Email then the request UserName header must contain an email address matching an existing ServiceNow user. This field is only visible when the profile action is Authenticate with user. User name Enter the user name that all web services requests must contain. This field is only visible when the profile action is Username. User password Enter the password that all web services requests must contain. This field is only visible when the profile action is Username - Click Submit.