ServiceNow OAuth Support

Owned by Muthu Sankaralingam
Feb 02, 2022
5 min read

FlexDeploy (@Since 5.6.0.6) now supports use of OAuth authentication for ServiceNow. You can follow the below steps for configuring OAuth for ServiceNow. This integration requires your ServiceNow instances with Rome Release or higher.

The following OAuth methods are currently supported:

  • Resource Owner

  • JWT User Assertion

Resource Owner

Application Registry

  • Navigate to System OAuth > Application Registry. Click New.

  • Select the highlighted option “Create an OAuth API endpoint for external clients

  • Client ID and Client Secret will be auto generated.

  • The default Refresh Token Lifespan can be modified if needed. FlexDeploy will default this in the instance configuration screen.

FlexDeploy ServiceNow configuration

Lastly you need to create or update Change Management instance in FlexDeploy specifying your client application information as well as the certificate information.

  • ServiceNow Auth : OAuthResourceOwner

  • Client Id.

  • Client Secret

  • ServiceNow Refresh Token Lifespan : Default is 8640000, if you used a value as configured in the Application Registry, please use that value.

JWT User Assertion

JWT User Assertion requires an ssl certificate to be uploaded to ServiceNow and referenced in FlexDeploy. The key can be self signed or from a more trusted chain. Here is the link to the ServiceNow documentation

  1. Generate certificate

  2. Upload Java Key Store certificate

  3. Upload the crt file

  4. Configure a JWT signing key

  5. Application Registry

  6. Configure JWT Providers

  7. Update FlexDeploy ServiceNow configuration

1. Generate certificate

If you already have a public/private key and their keystore location feel free to skip this step.

Refer this blog https://developer.servicenow.com/blog.do?p=/post/jwt-github/ for key generation

Below are the steps to generate the key

  • Creating a sample CA certificate
    openssl req -new -x509 -keyout ca-key.pem -out ca-certificate.pem -days 365

  • Create a cert
    openssl req -new -key ca-key.pem -days 365 -nodes -x509 -keyout fdsnow.key -out fdsnow.crt

  • Combine PEM file and CRT to PKCS12
    openssl pkcs12 -export -in fdsnow.crt -inkey ca-key.pem -certfile fdsnow.crt -out fdsnow.p12 -name fdsnow

  • Convert PKCS12 to JKS
    keytool -importkeystore -srckeystore fdsnow.p12 -srcstoretype pkcs12 -destkeystore fdsnow.jks -deststoretype JKS

2. Upload Java Key Store certificate

Follow the Step 1 under Procedure outlined in this blog: ServiceNow

  • Navigate to Multi-Provider SSO > x509 Certificate.

  • Please fill the details, Type should be Java Key Store, enter the keystore password given while generating the file and save. Make sure to attach the .jks file generated in step 1. - Lets name this as fdsnow_jks1

3. Upload the crt file

  • After saving the jks file, click new to Add the crt file. Type should be Trust Store Cert, copy the crt file (generated in step#1 ) content and paste it to PEM certificate field.

4. Configure a JWT signing key

  • Create a JSON Web Token (JWT) signing key to assign to your Java KeyStore (JKS) certificate.

  • Navigate to System OAuth > JWT Keys.

  • In the form, Signing Keystore should be the one keystore created in step#2. Signing Key should be shared secret or password associated with the signing key.

5. Application Registry

  • Add a JSON Web Token (JWT) provider to your ServiceNow instance.

  • Navigate to System OAuth > Application Registry. Click New.

  • Select the highlighted option “Create an OAuth JWT API endpoint for external clients

  • We will be using “User ID” for User Field. Client Id and Client Secret will be auto generated.

 

  • Save the details. Now, client New to generate JWT Verifier Maps

  • Enter the details, the Sys certificate should be the cer key generated in step#3. Kid is auto generated and will use it later.

6. Configure JWT Providers

  • Add a JSON Web Token (JWT) provider to your ServiceNow instance.

  • Navigate to System OAuth > JWT Provider.

  • Signing Configuration should be the JWT Signing key created in step #4.

  • In the Standard Claims, for aud, iss enter the Client Id from step #5. sub will be the user id which will be used to integrate from FlexDeploy. (Ex admin)

7. FlexDeploy ServiceNow configuration

Lastly you need to create or update Change Management instance in FlexDeploy specifying your client application information as well as the certificate information.

  • ServiceNow Auth : OAuthJWTAssertion

  • Client Id: value from step #5.

  • Client Secret: value from step #5.

  • Keystore Path : jks file path in the flexdeploy server. step #1

  • Keystore passphrase : secrete or password used to generate the jks file.

  • Certificate Alias : alias name for the certificate.

  • Certificate passphrase : secrete or password used to generate the crt file.

  • JWT Verifier Map Key ID : The value of kid from step #5.

  • Certificate Algorithm : default is RS256, if you used a different algorithm, please use that.

 

The following macros are not currently supported in the footer:
  • style