cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Saas Manager -- security challenge to input Admin username & pwd (ServiceNow OAuth2 Subscription Licensing)

Big_Kev
By Level 7 Champion
Level 7 Champion

Hello Saas Manager group

We are setting up Servicenow <> Saas manager via (ServiceNow OAuth2 Subscription Licensing).  The client security concern is after registering app in SN so that we have the Client ID/Secret & domain ...why still need to input the administrator account's username and password?  (Type in the admin username & pwd in a 3rd party tool is not the end user security appetite...).

I am wondering if Flexera team or other users can suggest any alternatives here to get Saas connect with ServiceNow

1. Whether or not the 'Administrator' role is indeed required or a lower level role is sufficient?  

2. Whether we can create a custom role in SN who has the access to the table & stats based on the API URL specified below

Application Access

https://<<instance>>.service-now.com/api/now/stats/sys_user

https://<<instance>>.service-now.com/api/now/table/sys_user

Application Roster

https://<<instance>>.service-now.com/api/now/stats/license_role

https://<<instance>>.service-now.com/api/now/table/license_role

And all other URL included tables/stats

Is it possible to create a service account under this 'custom role' if it's enough for Saas manager integration ?  or has to have Administrator account ?

3. One observation that most of other saas applications integration steps from Online help does specified something like below whenever the integration required input admin username and password. However I can't find the same under any 'ServiceNow *' integration 

"Note: These credentials are required only for authorizing the application permissions. They are not stored in SaaS Management."

Thanks in advance if you have similar challenges or thoughts ?

Best Regards

Kevin

(1) Solution

Hi @Big_Kev ,

I believe you have also raised a support ticket for this question so, you may receive the same response twice.

To answer your question relating to the use of custom role(s):

  • Each of the tables used to populate data for this managed application are dependent upon the base role of 'admin'. During our discovery for this feature we tried to use a custom role (with the required privileges) however, because the sys_user table is 'read only' it is not possible to add a custom role. Therefore, we need to use a base role with the necessary privileges and this is 'admin'.

With regards to the question around UID and PWD:

  • We are using the Oauth2 with password grant type as our authentication method and as such require:
    • Client ID
    • Client Secret
    • Username
    • Password
  • We do not include the statement - as per other integrations - because,  the credentials are encrypted and stored in Flexera One.

Thanks

 

 

 

View solution in original post

(4) Replies
Big_Kev
By Level 7 Champion
Level 7 Champion

Another reason request a username & pwd seems strange is it's a oAuth2 supported integration. Nowadays more and more customers company only allow the users to login enterprise application via their IDP via SSO only option. Those local account username and password directly login on vendor portal become obsoleted.  In that case it won't work anymore in Saas manager ServiceNow integration as requesting username and pwd won't work. As Customer login ServiceNow via Azure or Okta etc. 

Hi @Big_Kev ,

I believe you have also raised a support ticket for this question so, you may receive the same response twice.

To answer your question relating to the use of custom role(s):

  • Each of the tables used to populate data for this managed application are dependent upon the base role of 'admin'. During our discovery for this feature we tried to use a custom role (with the required privileges) however, because the sys_user table is 'read only' it is not possible to add a custom role. Therefore, we need to use a base role with the necessary privileges and this is 'admin'.

With regards to the question around UID and PWD:

  • We are using the Oauth2 with password grant type as our authentication method and as such require:
    • Client ID
    • Client Secret
    • Username
    • Password
  • We do not include the statement - as per other integrations - because,  the credentials are encrypted and stored in Flexera One.

Thanks

 

 

 

Hello @aswindells 

Thank you very much for your confirmation that helps me to understand the current behavior and the reason why not consider a custom role etc.  I am happy to convey this to my client. 

Other than requiring 'admin' role this question.... not sure you read my 2nd inputs in the comments field (the one before you replied). In the current Saas Manager ServiceNow authentication steps , the two required 'fields' for username and password. This behavior will become very challenging when nowadays more companies only allow employee login other saas solution application via SSO (Azure, Okta etc) instead of directly login portal via username and password.  In other words, my contact in ServiceNow team explained they login SN by Azure, they never can type in domain account username and password to SN as it won't work, it's not a local SN account and their company security policy no longer allow login portal directly by local account....

Andrew, do you think due to this 'modern security concern and change' , this should be considered an IDEA enhancement request on ServiceNow integration page....the request is not to leave two string fields and expecting a local username and password, but the authentication steps should be something similar to current other app such as Salesforce, Zoom....that once the user clicks the 'authentication' button, it should pop up a new browser winders and reach to the ServiceNow login page and we expect that SN login page has option to allow SSO option ?  please let me know if that make sense or need more elaboration ?

Thanks in advance Andrew.

Best Regards

Kevin

Hi @Big_Kev - we are ultimately dependent upon the authentication method that vendor imposes on their APIs which it is important to point out, can be different to the way they authenticate via the application UI. 

Wherever a vendor provides multiple authentication models and it is viable for us to offer, we will provide multiple options. ServiceNow and M365 are good examples here.

Thanks