Create or update an OpenID Connect (OIDC) configuration by using the Multi-Provider SSO plugin.

Before you begin

If you have a client ID, client secret, and well-known configuration URL of the identity provider, you can directly import the OIDC configuration for SSO.

Note: Login option with OIDC IdP is not supported if the domain separation plugin is installed.

If you do not have the required information about the identity provider, you can manually configure OIDC for SSO. After completing the configuration, users can log in to ServiceNow applications using third-party social identity providers like Google Okta.

Procedure

  1. Navigate to All > Multi-Provider SSO > Identity Providers.
  2. Choose one of the following options.
    • To update an existing configuration, click an OIDC Identity Provider record.
    • To create a new configuration, click New and select OpenID Connect.
  3. For a new configuration, enter the OIDC configuration information in one of the following methods.
    OptionDescription
    Import OpenID Connect Well-Known Configuration If you have the well-known configuration URL along with your associated client credentials, you can directly import an OIDC configuration.
    Note: If you import the OIDC well-known configuration, all related fields are auto-populated.
    Manually configure the OIDC Identity Provider form If you do not have an existing OAuth OIDC Entity, close the Import OpenID Connect Well-Known Configuration pop-up and manually fill the fields in the OIDC Identity Provider form.
    Table 1. Import OpenID Connect Well-Known Configuration fields
    PropertyDescription
    Name Unique name for the OIDC identity provider configuration.
    Client ID Client ID of the application registered in the third-party OIDC identity provider.
    Client Secret Client secret of the application registered in the third-party OIDC identity provider.
    Well-known Configuration URL URL that contains metadata about the third-party OIDC identity provider.

    All required fields must be filled in on the OIDC Identity Provider form.

    Before you manually fill the OIDC Identity Provider form, ensure that you already have an OAuth Entity Profile for the OIDC IdP.

    If you do not have a OAuth Entity Profile, you can create it using the default External OIDC Provider templates, like Okta, Azure and others.

    The grant type of the OAuth Entity Profile must be with an authorization code. For more information, see Configure an OAuth OIDC provider on the Now Platform.

    Note: You can use the templates of third-party identity providers, Auth0, Azure AD, Google, and Okta are available in the demo data of the Multiple Provider Single Sign-On Installer plugin.
    Table 2. OIDC Identity Provider fields
    PropertyDescription
    Name Name of the OIDC identity provider record.
    Active Option to make the OIDC IdP configuration active.
    Note: This option can only be set to active after a successful test connection.
    Default Option to set the OIDC IdP configuration as default when there are more than one OIDC configurations.
    Auto Redirect IdP Option to enable auto redirection of the users to the login page of the identity provider. This field shows when the Set as Auto Redirect IdP option is set under the Related Links section.
    Note: If you make a new Auto Redirect IdP configuration active, the glide_sso_id cookie automatically updates with the new Auto Redirect IdP. The glide.authenticate.sso.update.idp.cookie system property controls this feature.
    OIDC Entity Profile OAuth Entity Profile for the OIDC configuration.
    ServiceNow Homepage The URL of the login page used for authentication. This field is automatically set to your instance URL. The format of the URL is: https://yourinstance.service-now.com/navpage.do
    External logout redirect The URL where the integration redirects users after they log out. Typically, the portal, which is used for SSO. This field is automatically set to external_logout_complete.do For example, https://yourinstance.service-now.com/external_logout_complete.do
    Show as login option Option to display the OIDC IdP as a login option on the login page. The login option appears as the login with Identity provider button.
    SSO label Label of the OIDC IdP displayed on the login page. This field appears only when Show as login option is enabled.
    Logo URL Publicly available URL that contains logo of the OIDC IdP provider. This field appears only when Show as login option is enabled.
  4. (Optional) Enable automatic user provisioning in the User Provisioning tab>User Provisioning tab.

    You can choose to enable automatic user provisioning during user login. When automatic user provisioning is enabled, a user record is automatically created in the ServiceNow instance if that user record does not exist.

    Table 3. User Provisioning fields
    PropertyDescription
    Automatically provision users Option to enable automatic user provisioning. This property creates a user in the instance User (sys_user) table when the user exits on IdP but does not exist in the User table.
    Provision using Data source to use to transform, an ID Token, User Info endpoint, or Both ID Token and User Info to a ServiceNow user. Use the Lookup list to select the pre-defined data source template, then open the record to configure the Transforms table mapping.
    Provision data source ID token data source used for user provisioning.
    User Info Datasource The user info endpoint datasource used for user provisioning. This field is displayed when User Info or Both ID Token and User Info are selected for the Provision using field.
    Update User on next login Option to enable user update during the next login.
    Update User Interval Time (Seconds) Minimum time interval in seconds to update a user record between subsequent logins. This field is automatically set to 3,600 seconds. For example, after a user logs in, the user record will be updated after 3,600 seconds until the next login. This field is available only when the Update User on next login field is enabled.
    User roles applied to provisioned users List of roles applied to the newly provisioned users.
  5. OIDC Entity tab
    You can view and modify the OIDC client configuration and OIDC connect flow using the entity record.
  6. OIDC Provider Configuration tab
    You can view and modify the well-know configuration URL of the OIDC IdP or ID token claim validation.
  7. (Optional) Advanced tab

    Scripts that are run during single sign-on and logout.

    Table 4. Advanced fields
    Property Description
    Single Sign-On Script Script that executes during Single Sign-On. This field is automatically set to MultiSSO_OIDC_custom.
    Logout Script Script that executes after the user logs out. This field is automatically set to MultiSSO_OIDC_logout_custom.
  8. (Optional) On the eSignature Approval tab, configure the eSignature for the OIDC Idp.
    Note: The eSignature Approval tab appears only when you install the Approval with e-Signature plugin (com.glide.e_signature_approvals).
    Table 5. eSignature Approval fields
    Property Description
    Assertion Consumer URL for eSignature authentication If you employ a customized method of handling the OIDC authentication for eSignature, you can set up your own consumer URL. For example, if you are using Multi-Provider SSO, you do not need to use this property. This format of the URL is https://yourinstance.service-now.com/consumer.do
    Authentication pop-up Dialog Width Width of the authentication pop-up dialog. This field is automatically set to 800.
    Authentication pop-up Dialog Height Height of the authentication pop-up dialog. This field is automatically set to 900.
  9. (Optional) Navigate to the login page of the instance to verify that IdP appears as a login option.
    The URL should be in the following format: https://yourinstance/login_with_sso.do?glide_sso_id=sysId_IdP
    Note: If you have enabled Selected as login Option, you can go to the login URL of the instance.
    Multiple OIDC identity providers on the login page.