Hello Saas Manager group
We are setting up Servicenow <> Saas manager via (ServiceNow OAuth2 Subscription Licensing). The client security concern is after registering app in SN so that we have the Client ID/Secret & domain ...why still need to input the administrator account's username and password? (Type in the admin username & pwd in a 3rd party tool is not the end user security appetite...).
I am wondering if Flexera team or other users can suggest any alternatives here to get Saas connect with ServiceNow
1. Whether or not the 'Administrator' role is indeed required or a lower level role is sufficient?
2. Whether we can create a custom role in SN who has the access to the table & stats based on the API URL specified below
Application Access
https://<<instance>>.service-now.com/api/now/stats/sys_user
https://<<instance>>.service-now.com/api/now/table/sys_user
Application Roster
https://<<instance>>.service-now.com/api/now/stats/license_role
https://<<instance>>.service-now.com/api/now/table/license_role
And all other URL included tables/stats
Is it possible to create a service account under this 'custom role' if it's enough for Saas manager integration ? or has to have Administrator account ?
3. One observation that most of other saas applications integration steps from Online help does specified something like below whenever the integration required input admin username and password. However I can't find the same under any 'ServiceNow *' integration
"Note: These credentials are required only for authorizing the application permissions. They are not stored in SaaS Management."
Thanks in advance if you have similar challenges or thoughts ?
Best Regards
Kevin
May 09, 2023 09:55 PM
Hi @Big_Kev ,
I believe you have also raised a support ticket for this question so, you may receive the same response twice.
To answer your question relating to the use of custom role(s):
With regards to the question around UID and PWD:
Thanks
May 15, 2023 04:45 AM - edited May 15, 2023 04:46 AM
Another reason request a username & pwd seems strange is it's a oAuth2 supported integration. Nowadays more and more customers company only allow the users to login enterprise application via their IDP via SSO only option. Those local account username and password directly login on vendor portal become obsoleted. In that case it won't work anymore in Saas manager ServiceNow integration as requesting username and pwd won't work. As Customer login ServiceNow via Azure or Okta etc.
May 11, 2023 04:50 AM
Hi @Big_Kev ,
I believe you have also raised a support ticket for this question so, you may receive the same response twice.
To answer your question relating to the use of custom role(s):
With regards to the question around UID and PWD:
Thanks
May 15, 2023 04:45 AM - edited May 15, 2023 04:46 AM
Hello @aswindells
Thank you very much for your confirmation that helps me to understand the current behavior and the reason why not consider a custom role etc. I am happy to convey this to my client.
Other than requiring 'admin' role this question.... not sure you read my 2nd inputs in the comments field (the one before you replied). In the current Saas Manager ServiceNow authentication steps , the two required 'fields' for username and password. This behavior will become very challenging when nowadays more companies only allow employee login other saas solution application via SSO (Azure, Okta etc) instead of directly login portal via username and password. In other words, my contact in ServiceNow team explained they login SN by Azure, they never can type in domain account username and password to SN as it won't work, it's not a local SN account and their company security policy no longer allow login portal directly by local account....
Andrew, do you think due to this 'modern security concern and change' , this should be considered an IDEA enhancement request on ServiceNow integration page....the request is not to leave two string fields and expecting a local username and password, but the authentication steps should be something similar to current other app such as Salesforce, Zoom....that once the user clicks the 'authentication' button, it should pop up a new browser winders and reach to the ServiceNow login page and we expect that SN login page has option to allow SSO option ? please let me know if that make sense or need more elaboration ?
Thanks in advance Andrew.
Best Regards
Kevin
May 15, 2023 07:47 AM
Hi @Big_Kev - we are ultimately dependent upon the authentication method that vendor imposes on their APIs which it is important to point out, can be different to the way they authenticate via the application UI.
Wherever a vendor provides multiple authentication models and it is viable for us to offer, we will provide multiple options. ServiceNow and M365 are good examples here.
Thanks
May 26, 2023 05:50 AM