You can integrate your ServiceNow instance with Okta to view software usage for all connected SSO applications.

Important: Minimize security risks and protect information by granting access only to the necessary user or API permissions.
Table 1. Minimal user permissions
ProcessRequired user role in the Okta applicationAuthentication scopes
Download users Read-only administrator okta.users.read
  • Download groups
  • Download group memberships
 Read-only administrator okta.groups.read
Download applications Read-only administrator
  • okta.apps.read
  • okta.logs.read
Connect applications Read-only administrator okta.logs.read
Update connected applications Read-only administrator
  • okta.apps.read
  • okta.logs.read
Reclaim subscriptions Application administrator okta.apps.manage

Create an Okta application

Create an Okta application that you can integrate with the Now Platform.

Before you begin

Okta Role required: Refer the Minimal user permissions table.

See Administrator roles and permissions for more details on Okta admin roles and Scopes and supported endpoints for more details on Okta OAuth scopes.

Procedure

  1. From a web browser, log in to the Okta administrator console.
  2. Create an Okta application with OAuth 2.0 functionality.

    See Create an OAuth 2.0 app for Okta for detailed instructions.

    Keep the following points in mind when you’re creating your Okta application:
    • In the Login redirect URI and Logout redirect URI fields, enter https://<instance-name>.service-now.com/oauth_redirect.do, where <instance-name> is the name of your ServiceNow instance.
    • Copy the values in the Client ID and Client Secret fields. Save them in a secure location for later use.
    • Grant the following scopes to your Okta OAuth 2.0 application:
      • okta.groups.read
      • okta.apps.read
      • okta.users.read
      • okta.logs.read
      • okta.apps.manage
    • Select the Refresh Token check box under the Client acting on behalf of a user Grant type on the Okta portal.

Create an Okta integration profile

Create an Okta integration profile in your ServiceNow instance.

Before you begin

To create an Okta integration profile, request the Software Asset Management - SaaS License Management plugin (sn_sam_saas_int) from the ServiceNow Store.

ServiceNow Role required: sam_integrator or admin

About this task

Note: Starting with version 7.0.0 of Software Asset Management - SaaS License Management and version 4.1.2 of the Okta spoke, your ServiceNow instance creates a separate Okta connection for each Okta integration profile that you create. Each connection runs independently of each other, which enables your instance to support multiple independent Okta integration profiles.

If you’re using Software Asset Workspace, the option to create the Okta integration profile in Core UI is inactive.

Procedure

  1. Navigate to the integration profile.
    InterfaceAction
    Core UI
    1. Navigate to All > Software Asset > SaaS License > SSO Integration Profiles.
    2. Select New.
    3. Select Okta Integration Profile.
    Software Asset Workspace
    1. Navigate to License operations > User Subscriptions > SSO integration profiles.
    2. Select New.
    3. Select Okta from the drop-down list.
    4. Select Continue.
  2. On the form, fill in the fields.
    Table 2. SSO Integration Profile form
    Field Description
    Display name Name of the integration profile. For example, Okta Integration.
    Status Status of the integration profile.
    • If you haven’t published the integration profile, this field is automatically set to Draft.
    • If you’ve already published the integration profile, this field is automatically set to Published.
    Profile Type Type of integration profile. This field is automatically set to Okta.
  3. Select Submit.
  4. Open the Create Connection and Credential dialog box.
    InterfaceAction
    Core UI Select the Create New Connection & Credential related link on the SSO integration profile form.
    Software Asset Workspace
    1. Selecting the preview icon (Preview icon.) next to the Connection & Credential field
    2. Select Open Record in the record preview.
    3. On the Connection & Credential Aliases form, select the Create New Connection & Credential related link.
  5. In the dialog box, fill in the fields.
    Table 3. Create Connection and Credential dialog box
    FieldDescription
    Name Name of the connection. For example, Okta Connection.
    Connection URL URL for the connection. Enter https://<yourOktaDomain>.com, where <yourOktaDomain> is your organization domain.
    Authorization URL URL of the OAuth authorization endpoint. Enter https://<yourOktaDomain>.com/oauth2/v1/authorize, where <yourOktaDomain> is your organization domain.
    Token URL URL of the OAuth endpoint that retrieves and refreshes access tokens. Enter https://<yourOktaDomain>.com/oauth2/v1/token, where <yourOktaDomain> is your organization domain.
    Token Revocation URL URL of the OAuth endpoint that revokes access tokens. Enter https://<yourOktaDomain>.com/oauth2/v1/revoke, where <yourOktaDomain> is your organization domain.
    OAuth Client ID Client ID that is assigned to your Okta application.
    OAuth Client Secret Client secret that is assigned to your Okta application.
    OAuth Redirect URL URL of the OAuth provider that users are redirected to after authentication. This field is automatically set to https://<instance-name>.service-now.com/oauth_redirect.do, where <instance-name> is the name of your ServiceNow instance.
  6. Select Create and Get OAuth Token.
    Note: For the role required to perform this step, refer to the Minimal user permissions table.
  7. In the Okta portal login dialog box, enter your Okta credentials and then select Sign In.
    Note: You must sign in using the same credentials as in the Super Admin, Application administrator, or API Access Management Administrator roles.
    The dialog box closes and you automatically return to the SSO Integration Profile form.
  8. Select Publish.

Result

After you create the integration profile, both scheduled jobs and directory jobs download a list of all applications, users, and groups that are associated with your Okta application. View the status of your jobs in the Scheduled Jobs Results and Directory Job Results tabs of your integration profile. Software Asset Management automatically creates software models for applications with an external catalog ID that matches an Identifier in the Subscription Product Definitions [samp_sw_subscription_product-definition] table.
Warning:

When your OAuth token expires, your Okta integration profile displays an error message indicating that you must get a new OAuth token. Click the link in the error message to get the new OAuth token.

Don’t delete the OAuth 2.0 credential record that is associated with the connection record for your Okta integration profile. If you delete the OAuth 2.0 credential record, you won’t be able to get a new OAuth token after your current OAuth token expires.

After you publish the integration profile and connect applications to the profile, you can view events performed by individual users up to 60 days prior to the current date. For more information, see Review a software reclamation rule.

Connect SSO applications

Connect an SSO application to monitor all the users and groups who have access to that application. You can also track user login data and reclaim unused licenses.

Before you begin

ServiceNow Role required: sam_integrator or admin

About this task

ServiceNow® SaaS License Management offers direct integrations with some applications. Direct integrations provide the most comprehensive usage data. For a list of available direct integrations, see Integrate with SaaS applications.

If you have already created a direct integration for an application, then connecting the same application in an SSO integration creates duplicate subscription records in your ServiceNow instance. You should only use the direct integration. If you connect an application in an SSO integration, but you later want to create a direct integration for that application, then disconnect the application before creating the direct integration.

Procedure

  1. Navigate to All > SaaS License > SSO Applications.
  2. Click the application that you want to connect.
  3. If the Software model field is empty, add a software model for the application.
    Before you can connect an application, it must be associated with a software model. ServiceNow® Software Asset Management automatically creates software models for applications with an external catalog ID that matches an Identifier in the Subscription Product Definitions [samp_sw_subscription_product-definition] table. For all other applications, you can create a software model manually. For detailed instructions, see Create software models in Software Asset Management classic.
  4. Select the date that you want to analyze last activity from in the Analyze last activity from field.

    You can start analyzing login data for individual users and applications from the current date or from up to 60 days prior. The default value is 30 days. If you select a date prior to the current date, it may take longer for results to appear due to the amount of data that you want to analyze.

    After you submit a value in the Analyze last activity from field, the field becomes read-only.

  5. Click Connect.
    Tip: To connect multiple applications simultaneously, select the check box for each application that you want to connect in the SSO Applications list. Select the Actions on selected rows menu and then click Connect. If any applications are not associated with a software model, the name of the Connect menu item is updated to indicate that only some of the applications will be connected. For example, a Connect (1 of 4) menu item indicates that only 1 of the 4 apps that you selected will be connected. Add software models to the remaining applications to proceed with the connections.

What to do next

After the SSO application connects, your ServiceNow instance automatically creates users, groups, subscriptions, and reclamation rules that are refreshed daily. If you delete a user, application, group, or group membership from the Okta Developer Console, the changes are reflected on your ServiceNow instance.

Review all automatically generated reclamation rules to ensure that they meet your specifications for reclaiming user subscriptions. For more information, see Review a software reclamation rule.

Create software entitlements for the automatically generated software models to track used software against owned software. For more information on creating software entitlements in the Software Asset Management classic application, see Create entitlements in Software Asset Management classic. For more information on creating software entitlements in the Software Asset Workspace, see Create entitlements in workspace. For more information on creating software entitlements using the Software Asset Management Playbook, see Create entitlements using the guided walk-through.

Reconciliation also runs on your subscriptions as a scheduled job or on-demand. You can view your reconciliation results in the License Workbench (Software Asset Management classic application) or the License usage view (Software Asset Workspace). Use these results to determine your license compliance position and to remediate any non-compliance. For more information on running reconciliation in the Software Asset Management classic application, see Run software reconciliation. For more information on running reconciliation in the Software Asset Workspace, see Run software reconciliation in the workspace.