Shibboleth and Servicenow

[Cantor, Scott]

> We are investigating deploying Servicenow "in the cloud". I see that they are
> a member of Incommon as of last December, however they don't seem to
> appear in our metadata file.

I wasn't aware they joined and we don't currently rely on InCommon metadata for them. Their model is such that it's a poor fit anyway because they use dedicated entityID/endpoints per customer.

> I found this link:
> https://confluence.id.ubc.ca:8443/display/SHIB/Appendix+A+-
> +Shibboleth+Integration+with+ServiceNow that shows they can integrate
> with Shib. In the linked document the only attribute being released in the
> user id (eppn?).

They supported SAML 1.1 for a while, they do both now. I identified major flaws in their implementation that they corrected and we are using 2.0 now.

They rely on either a NameID or Attribute that you identify to their system in the GUI to look at to extract the user ID and what column in their user table to match against.

> In our conversations with Servicenow they need additional attributes
> (manager, dept id, location, others). None of these are present in
> eduPerson. Servicenow would ilke to connect to our AD to obtain these
> attributes.

That is fairly typical. They rely on a directory we populate for that information. I do not believe they can do that via SAML.

> Does anyone have experience with Servicenow? How did you provide these
> additional attributes?

See above.

> I'd like to find a solution that does involve them connecting to our AD, I'd like
> to just release them via Shib. And of course I some FERPA concerns.

I think almost all apps are fundamentally incapable of dealing with FERPA because nobody else has that requirement, so their other customers would never have asked about it and they would never have designed for it.

As far as releasing them with SAML, no, they don't do that today.

-- Scott