How to configure Okta Single Sign-On (SSO) for a ServiceNow instance - Support and Troubleshooting

How to configure Okta Single Sign-On (SSO) for a ServiceNow instance Summary .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Configure Okta as a SAML 2.0 identity provider for Single Sign-On (SSO) on a ServiceNow instance. This article outlines the setup process for both the Okta and ServiceNow configurations.

Note : ServiceNow does not endorse any specific identity provider. Instructions for Okta configuration may change based on updates made by Okta. For current Okta documentation, refer to Okta's official support resources.

Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } All supported releases

Instructions .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Configure Okta Sign up for an Okta developer account at https://developer.okta.com/signup/ . Log in to Okta and switch to Classic UI (Developer Console > Classic UI) . Go to the admin dashboard: https:// -admin.okta.com/admin/dashboard Select Add Application > ServiceNow UD . Configure the application settings: General > Base URL : Enter https:// .service-now.com Sign On : Select SAML 2.0 (use defaults for other settings) Save the configuration. Select Identity Provider metadata and save the URL. You will need this URL when configuring ServiceNow. Create a test user in Okta: Go to Directory > People . Create a new user with a user name and password. Assign the user to the ServiceNow application: Open the ServiceNow app you created. Go to Assignment > Assign > Assign to People . Select the user you created.

Configure ServiceNow Activate the Multi-Provider SSO plugin Go to System Definition > Plugins . Search for and activate the Integration - Multiple Provider Single Sign-On Installer plugin. Go to Multi-Provider SSO > Properties . Enable the following properties: Enable multiple provider SSO Enable debug logging for the multiple provider SSO integration Create a matching user Create a user in ServiceNow that matches the user you created in Okta. The email address in the User [sys_user] record must match the email configured for the Okta user.

Import the identity provider metadata Go to Identity Providers > New . Select SAML . Select Import Identity Provider Metadata . Enter the metadata URL you saved from Okta. Configure Single Logout (optional) Single Logout requires certificate configuration on both Okta and ServiceNow. Choose one of the following options:

Option 1: Use your own certificate Upload your certificate to Okta in the application setup. Upload the same certificate to the Certificates [sys_certificate] table in ServiceNow. In Okta, select Enable Single Logout . Option 2: Use the default ServiceNow certificate In Okta, select Enable Single Logout . Follow steps 1-5 in Steps to migrate from expiring SAML 2.0 SP Keystore to new Keystore to configure the correct SHA256 certificate in the system properties. See the KB article for currently valid certificates. On the Identity Provider record in ServiceNow, select Sign LogoutRequest . Enter the following values: Signing Key Alias : saml2sp Signing Key Password : saml2sp Select Generate Metadata . Copy the x509 certificate from the metadata screen. Format the certificate with BEGIN and END markers:

In Okta, go to the advanced options and select Upload Certificate . Upload the certificate file. Select Enable Single Logout . Note : If you receive an invalid certificate error, contact Okta Support to verify they accept the ServiceNow default certificate.

Test the configuration On the Identity Provider record, select Test Connection . Verify the connection is successful. Activate the Identity Provider record.