servicenow SAML 2 integration

[Paul B. Henson]

I've been asked to integrate our shibboleth idp with servicenow. I've seen a few postings regarding this, but would like to clarify a couple of issues.

They want to exchange metadata in an ad hoc fashion, rather than availing of Incommon (always annoying), but the metadata they supply does not include a certificate? They do consume a certificate from my idp metadata, so can presumably verify the assertions it provides, but with no certificate for their SP, how does the idp verify a request is actually coming from them and not some random imposter?

One of the integration guides I was looking at said it required a custom RelyingParty configuration in relying-party.xml so the idp would not try to encrypt assertions; the example config included encryptAssertions="never". However, my current default relying party is configured with encryptAssertions="conditional", is a separate relying party with an explicit never still required or was that for an older version of the idp? 

Evidently they require a NameID format attribute to join to their internal database. Our current configuration only supplies the transientId and eduPersonTargetedID with such an encoding, neither of which is suitable, so it seems a new special attribute must be defined specifically for servicenow that encodes one of our other existing attributes in NameID format? I also read in an older posting that you need to hack the default releaseTransientIdToAnyone policy to explicitly exclude them, is that still true?

Thanks...

--
Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
Operating Systems and Network Analyst  |  henson at csupomona.edu
California State Polytechnic University  |  Pomona CA 91768