3

We have groups with members in Active Directory, and we have the same groups with the same members in ServiceNow.

There is a plan to use Okta as a single sign-on solution. For this purpose we can have Okta provision users from AD.

We would like Okta to also provision the groups and maintain their memberships from AD. So for example:

  1. When people are added or removed from a group in AD, we would like those people to be removed from the same group in ServiceNow.
  2. When a group is added or removed in AD, we would like the same group to be deleted in ServiceNow.

Is this possible, and if so, what Okta functionality can be used to accomplish it?

  • I don't really have time to write an answer, but read [this](https://support.okta.com/help/articles/Knowledge_Article/92113353-Importing-and-Using-Groups-in-Okta). It's the okta documentation on group provisioning. Specifically [this](https://support.okta.com/help/articles/Knowledge_Article/92113353-Importing-and-Using-Groups-in-Okta#using_push). – Peter Raeves Feb 17 '16 at 13:54
  • 1
    Thanks @PeterRaeves, I used your links and some experimentation to get what I think is the correct procedure and posted this as an answer (as it might be useful to other folks). –  Feb 18 '16 at 21:37

1 Answers1

2

After looking at the documentation linked by Peter Raeves, and after some experimenting in a test instance, it seems that the AD groups can be replicated in ServiceNow as follows:

(Note that steps 1 and 2 can be done in any order)

  1. Ensure that Okta is connected to Active Directory. This requires installing and configuring the Okta AD Agent, as explained here.
  2. Connect Okta to ServiceNow using a SAML connection. With newer versions of ServiceNow it seems better to not to use the Okta ServiceNow plugin, as it looks like this plugin does not work well with SSO-changes that have been introduced in ServiceNow. Instructions for configuring the connection "manually" can be found by clicking on the "View Setup Instructions" under the "Sign On" tab in the Okta ServiceNow application. Make sure you enable provisioning under the "Provisioning" tab in the Okta ServiceNow application.
  3. Assign the ServiceNow application to the Active Directory users. This can be done under the "People" tab in the Okta ServiceNow application. This needs to be done before Step 4 (Okta will ignore any users found in the groups that have not been assigned to the application).
  4. Push the desired Active Directory Groups to ServiceNow. This can be done under the "Push Groups" tab in the Okta ServiceNow application. Okta can replicate the group membership in ServiceNow when pushing the group, if you tick the "Push group memberships immediately" check-box. You can also push the membership after the group has been added by clicking on the down-arrow in the groups list, and selecting "Push now".

Note that user roles will still have to be maintained in ServiceNow. Being that Okta does not touch the roles at all, they can be added for example on the group-level in ServiceNow without risking that they are overwritten by Okta.

  • Does that mean you cant transfer roles from AD to SN? – Peter Raeves Feb 18 '16 at 22:27
  • 1
    Hi @PeterRaeves, I have not yet found a way to do it although maybe it can be done if one uses the scripting capabilities in Okta Universal Directory(?) In ServiceNow the roles of a group are not stored in the Group (sys_user_group) table but in a related table; they are linked to the Group through an intermediary table called "sys_group_has_role". Okta would somehow have to query the Role (sys_user_role) table, get the SYS ID of the role, and link it to the particular group in the "sys_group_has_role" table. –  Feb 19 '16 at 14:20