Best Practice — Governing SSO Connections to External Third-Party Applications in ServiceNow Multi-Provider SSO - Support and Troubleshooting

Best Practice — Governing SSO Connections to External Third-Party Applications in ServiceNow Multi-Provider SSO Issue .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Administrators need guidance on how to handle SSO connections configured in ServiceNow's Multi-Provider SSO module that point to external third-party applications or services the organization does not own, administer, or have a formal trust relationship with. Questions typically arise around:

Whether there is a supported pattern for configuring SSO to publicly owned or unmanaged applications What risks are introduced by maintaining such connections How to govern and inventory these connections in a CSDM-compliant manner without creating dummy or placeholder CIs in the CMDB Release .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } No release specific

Cause .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ServiceNow's Multi-Provider SSO framework is designed for federating identity between systems where the customer owns or administers both sides of the trust relationship, or has a formal agreement with the third party governing certificate lifecycle and metadata management. When SSO connections are created for applications outside this boundary, the customer loses operational control over the integrity of the connection, creating security, auditability, and maintainability gaps.

Additionally, organizations that attempt to represent these external services as Business Application or Business Service CIs in the CMDB to satisfy governance or TPRM visibility requirements will find this conflicts with CSDM 5.0 prescriptive guidance, which scopes the CMDB to managed assets and services only.

Resolution .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } span { font-size: 12pt; font-family: Lato; color: var(--now-color--text-primary, #000000); } h2 { font-size: 24pt; font-family: Lato; color: var(--now-color--text-primary, black); } h3 { font-size: 18pt; font-family: Lato; color: var(--now-color--text-primary, black); } h4 { font-size: 14pt; font-family: Lato; color: var(--now-color--text-primary, black); } a { font-size: 12pt; font-family: Lato; color: var(--now-color--link-primary, #00718F); } a:hover { font-size: 12pt; color: var(--now-color--link-primary, #024F69); } a:target { font-size: 12pt; color: var(--now-color--link-primary, #032D42); } a:visited { font-size: 12pt; color: var(--now-color--link-primary, #00718f); } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Resolution

1. Supported Pattern for SSO Connections to Third-Party Applications

There is no formally supported or recommended pattern in ServiceNow for configuring SSO connections to publicly owned or unmanaged external applications. The Multi-Provider SSO framework assumes the customer has administrative access to the Service Provider (SP) configuration on the external application side.

SSO connections should only be configured for applications where all of the following conditions are met:

Your organization owns or administers the SP configuration on the external application A formal agreement or trust relationship exists with the third party that covers certificate lifecycle, metadata update notifications, and federation changes Your organization can be notified of and operationally respond to changes on the external application side Any existing SSO connections that do not meet these criteria should be reviewed and either formalized with a vendor agreement or decommissioned.

2. Risks of SSO Connections to Applications Outside Your Control

Maintaining SSO connections to applications your organization does not govern introduces the following risks:

Certificate and Metadata Rotation: If the external application rotates its SAML signing certificate or updates its federation metadata without notice, the SSO connection will break immediately. ServiceNow's Multi-Provider SSO module has no mechanism to automatically detect or recover from externally initiated certificate changes. Security Exposure: Extending your IdP's trust chain to applications you do not govern widens your authentication attack surface. Each ungoverned SSO connection is a potential vector for credential abuse if the external application is compromised. No Change Control: Third-party or public applications can modify authentication endpoints, deprecate SAML support, or go offline without notice, leaving the integration in a broken and unsupported state. Auditability Gap: Authentication events on the external application side are not visible to or controllable by your organization, creating gaps in compliance and audit posture — particularly relevant for TPRM and regulatory frameworks. 3. Governing and Inventorying External SSO Connections Without Violating CSDM 5.0

ServiceNow does not provide a dedicated out-of-box module for external SSO connection governance. The following platform-level controls are recommended:

Access Control Restrict the ability to create or modify Identity Provider and Service Provider records within the Multi-Provider SSO module to a designated admin group. This prevents ungoverned connections from being added outside of a formal review process.

SSO Connection Inventory Maintain a documented inventory of all SSO connections configured in the instance. At minimum, the inventory should capture:

Connection name and type (IdP / SP) Target application or service Ownership classification: Internally Managed (org owns/administers the SP) vs. Externally Owned (third-party or public application) Certificate expiration date and rotation responsibility Governing agreement or vendor contact (where applicable) This inventory should be maintained outside the CMDB — a custom ServiceNow table or a governed external document are both acceptable approaches.

CMDB Guidance Do not create Business Application, Business Service, or other CMDB CI records to represent external third-party services your organization does not own or manage. CSDM 5.0 scopes the CMDB to managed assets and services. Creating placeholder or dummy CIs for unowned external services violates this boundary and introduces data quality and lifecycle management problems.

4. Architectural Options for TPRM-Driven SSO Governance (Advanced)

Organizations with TPRM or regulatory requirements to formally track external SSO dependencies have the following architectural options, depending on version and licensing:

Option Approach Considerations Connection Service Instance (CSDM 5.0) Model the SSO connection as a Connection Service Instance — a subclass of Service Instance introduced in Yokohama — linking your identity infrastructure to the external service Available in Yokohama and later only. Most aligned with CSDM 5.0 for organizations on a current release VRM / IRM Vendor Records Register external services as Vendor or Vendor Product records in the Vendor Risk Management or Integrated Risk Management module Requires VRM/IRM licensing. Keeps TPRM governance entirely outside the CMDB, which is appropriate for unmanaged external dependencies Business Application CI with External Ownership Model the external service as a Business Application CI with explicit external ownership attribution Acceptable only if the organization treats the external service as a formally tracked dependency with a defined owner. Risk of lifecycle management burden if not governed properly Custom Inventory Table Create a lightweight custom table to track SSO connection records outside the CMDB hierarchy Lowest complexity, no version or license dependency. Appropriate for organizations that need visibility without full CSDM modeling The Connection Service Instance approach is recommended for organizations on Yokohama or later seeking full CSDM 5.0 alignment. For earlier versions, a custom inventory table combined with VRM/IRM (if licensed) provides the most compliant path.