ServiceNow and ForgeRock integration
IT Service Management (ITSM) and Identity Management (IDM) platforms are more and more common in companies, some functionalities are overlapping and both of them include End-user interfaces. For a better user experience you should have only one interface for all IT requests: access, service, device …
In this post I will show you how to configure ServiceNow and ForgeRock to work together to provide end-user interface and workflow functionalities in SNow and identity provisioning, synchronization and reconciliation in ForgeRock.
How ServiceNow and ForgeRock integrate ?
ServiceNow in a nutshell
ServiceNow is a multi-tenant ITSM cloud platform widely used by small to big companies. It provides with a great variety of modules you can activate in the solution from workflows to chat bots (Agent Intelligence).
There are 2 web interfaces:
- Administration interface: this interface is accessed by the administrators to configure the modules.
- End-user portal: this interface is used by anybody in the company for their IT requests.
As for most of cloud solution, you can create a free developer account and spawn a developer instance for you.
Be careful : a developer instance is paused if you don’t connect to it and it is automatically destroyed after 10 days of inactivity.
Service Catalog
Service Calatog is a SNow module/application that is used to define the catalog of the End-user portal. Amongst other things, this where you manage the catalog (categories, requestable items, etc…).
Flow designer
Flow Designer is a new module/application used to de define workflows and processes in Service Now. This component is different from the classical Workflow module and much more easy to use.
Note: we’ll also use the IntegrationHub module with the Flow Designer to call ForgeRock REST API.
ForgeRock in a nutshell
ForgeRock Identity platform is a solution dedicated to Digital Identity (from Access to Identity Management). The solution has 4 main components: Access Management (AM), Directory Services (DS), Identity Management (IDM), Identity Gateway (IG).
Today, I’ll only consider the integration with ForgeRock Identity Management (IDM). Find below an extract of ForgeRock documentation listing IDM functionalities.
ForgeRock Identity Management 6.5 software provides the following capabilities:
- Provisioning
- Synchronization and reconciliation
- Adaptable monitoring and auditing services
- Connections to cloud services with simple social registration
- Flexible developer access
- Password synchronization
- Identity data visualization
- Delegated administration
- User self-service
- Privacy and consent
- Progressive profile completion
- Workflow engine
- OpenICF connector framework to external systems
ForgeRock Common REST interface
The ForgeRock Common REST (CREST) interface is a shared stack used by all ForgeRock components to expose a really developer-friendly REST interface. All the components of the platform embed a Swagger UI and you can easily generate an Open API-compliant descriptor of the REST API. The following figure shows a view of the Swagger UI embedded in IDM.
In IDM the API can be used to manage objects (identities, accounts, etc…), to configure the solution, trigger processes/workflows and also get audit and metrics informations.
ServiceNow and ForgeRock Identity Management integration in a schema
interactions between SNow and IDM can be of two types:
- SNow initiated: when an end-user request an access to a resource in SNow, then SNow communicates with IDM to provision the access. This is done with IDM REST API calls.
- IDM initiated: when IDM provision an access in SNow. This is done with ForgeRock’s SNow connector.
In this post we will focus on SNow initiated interactions that use the ForgeRock REST API to trigger provisioning process. The following figure shows a high level architecture.
ForgeRock and ServiceNow configuration
In this post, I’ll explain the configuration for the following use case : Onboard an external users.
Onboard an external user
In this scenario, the end-user will connect to SNow and fill-in a form to request the creation of an external user. SNow will then use the ForgeRock REST API to create the user in ForgeRock, and then ForgeRock will provision the account.
A- Create a request Form in SNow
To create a form in SNow you should do as follows:
- In SNow admin interface browse to Service Catalog > Catalog Definition > Maintain Items and click on Create button
- Enters the following informations: Name, Catalog, Category.
I entered “Catalog”=”Service Catalog” and “Category”=”Demo FR” (Demo FR is a custom Category I created before but you can use any Category you want). - In Item Details tab of this form, enters : Short Description, Description. Short Description and Description will be displayed on the end-user Form.
- In the same form, scroll down and create 7 variables in Variables tab: 3 Single Line Text, 2 Date and 2 Reference types (See screenshot below). Then click submit to validate the form creation.
Note: you can pre-visualize the form using the Try It button.
After creating the form you have to create the interface between Service Now and IDM.
B- Create an Action in SNow to use ForgeRock IDM REST API
SNow will use an Action objects to call the IDM REST API. For instance, to create a user using the REST API you just have to do an HTTP PUT to this endpoint : http(s)://<IDM ServerName>:<PortNumber>/openidm/managed/user/<userID> where <IDM ServerName> is equal to the IDM server where the endpoint is available, <PortNumber> is equal to the port (most likely 8080 or 8443 depending if we are using HTTP or HTTPS) and <userID> is equal to the uid of the newly created user in IDM.
For instance to create Clint Eastwood in our repository, the REST call is:
curl -X PUT \
http://idm.sorluc.com:8080/openidm/managed/user/clint.eastwood@ext.fr \
-H 'Content-Type: application/json' \
-H 'Host: idm.sorluc.com:8080' \
-H 'X-OpenIDM-Password: openidm-admin' \
-H 'X-OpenIDM-Username: openidm-admin' \
-d '{"userName": "ceastwood",
"sn": "Eastwood",
"givenName": "Clint",
"mail": "clint.eastwood@ext.fr",
"Type": "external",
"manager": {
"_ref": "managed/user/AArmitage"},
"preferences": {
"updates": true,
"marketing": true}}'And the ForgeRock response is an HTTP 200 OK (= the user is created) plus a JSON detail of the created user:
{
"_id": "clint.eastwood@ext.fr",
"_rev": "00000000f2ab2b11",
"userName": "ceastwood",
"sn": "Eastwood",
"givenName": "Clint",
"mail": "clint.eastwood@ext.fr",
"Type": "external",
"preferences": {
"updates": true,
"marketing": true
},
"accountStatus": "active",
"effectiveRoles": [
{
"_ref": "managed/role/3f2a0c0b-9c2a-41a2-9139-724f67630d62"
}
],
"effectiveAssignments": [
{
"name": "Externals",
"description": "Assignation statutaire du groupe external sur AD pour les externes",
"mapping": "managedUser_systemAddemoAccount",
"attributes": [
{
"assignmentOperation": "mergeWithTarget",
"name": "ldapGroups",
"unassignmentOperation": "removeFromTarget",
"value": [
"CN=externals,OU=Groups,DC=DEMO,DC=COM"
]
}
],
"_rev": "000000002e16c8ec",
"_id": "c8e10909-9293-40e9-b45f-270417e18449"
}
]
}In addition to the info we provided in the PUT (userName, sn, givenName, mail, Type, manager, preferences), this JSON contains 2 more informations effectiveRoles and effectiveAssignments which represent roles and assignments automatically attributed to the user based on business rules defined in ForgeRock IDM. The rules I defined here is: “all user with Type equal to external should be member of the role External” and “all members of External role should have assignment Externals”.
Note: ForgeRock documentation concerning REST interface for User management is available here https://backstage.forgerock.com/docs/idm/6.5/integrators-guide/#managing-users-REST and you can also use the embedded IDM swagger UI to get more detailed information about this call.
To create an Action:
- In SNow admin interface browse to Flow Designer > Designer (a new windows pops-up). Click on Actions tab and click on +New > New Action button. Enter a Name, make it accessible from All application scopes and click submit.
- Click on Inputs and add the following string variables using Create Input button: User First Name, User Last Name, User email, User Manager, StartDate, EndDate, Role.
- On the left just below Inputs Icon, clic on + and add a REST step.
- In Connection Details zone, enter the following informations:
- Connection select Use Connection Alias,
- Connection Alias select a Connection & Credential alias to connect to IDM.
Note: to select the connection you should have activated the IntegrationHub module and pre-created a Connection, a Credential and a Connection & Ceredential Aliases. This elements contain the URL and credential to connect to IDM REST API. - In Request Details zone, enter the following informations:
- Resource Path entermanaged/user/<action->User email>where<action->User email>is equal to the Input variable you created step 2,
- HTTP Method select PUT,
- leave blank Query Parameters,
- Headers addContent-Type:application/json - In Request Content, enter the following informations:
- Request Type equals to Text,
- Request Body equals to{"userName":"<action->User email>","sn":"<action->User Last Name>","givenName":"<action->User First Name>","StartDate":"<action->StartDate>","EndDate":"<action->EndDate>","mail":"<action->User email>","Type":"external",{"_ref":"managed/user/<action->User Manager>"}where<action->User email>,<action->User Last Name>,<action->User First Name>,<action->StartDate>,<action->EndDate>,<action->User Manager>,are equal to the Input variable you created step 2. - Click on Outputs and add the following output using Create Output button:
- Label equals parameter,
- Value equals tostep->REST step->Response Body. - Click on Save and Publish.
The following screenshot show how your Action should look like.
C- Create a flow to trigger the Action from the Form
To create a Flow:
- Connect to SNow admin interface and browse to Flow Designer > Designer (a new windows pops-up). Click on Flows tab and click on +New > New Flow button. Enter a Name, leave the Application Global, leave Run As User who initiates session and click submit.
- Click on Click to add a Trigger and select the trigger Service Catalog.
- Click on Click to add an Action, Flow Logic, or Subflow, select Action > ServiceNow Core > Service Catalog > Get Catalog Variables.
- In Requested Item field, select Trigger - Service Catalog -> Requested Item Record,
- In Template Catalog Item, select Onboard external user with FR (this is the form you create in A),
- Select all Catalog variables, and click done. - Click on Click to add an Action, Flow Logic, or Subflow, select Action > Global > Create user in FRDP. (Create user in FRDP is equal to the name of tje Action you created in B)
- In the subsequent fields drag and drop the Catalog Variables (from the right pane) into the corresponding fields. For instance: User First Name filed should contain 1->What_is_the_first_name_of_the_external_user. (These Catalog variables are the one you defined in the Form in A)
- Click done. - Add 2 Update Record actions:
- to update Requested item [sc_req_item] table with State equal to Closed complete and Stage equal to Completed,
- to update Request [sc_request] table with Request state, State and Stage equal to Closed complete.
The following schema shows the flow configuration as displayed in ServiceNow.
Finally, update the form defined in A to make it triggering the flow:
- Edit the catalog item and browse to Process Engine tab.
- In Flow field, select the flow we just created.
Et voila ! The configuration is ready !
Final result (Demo)
The video below shows the final result.
To conclude
With this post you can see how easy (less than 10 minutes) it is to create a form in Service Now and trigger a user creation in ForgeRock IDM. This architecture allows you to be consistent with your end-user portal — everything is requested through Service Now — and powerful with user provisioning, relationship and more globally Identity Management.
So if you already use ServiceNow and are happy with it, I urge you to consider this integration.
