servicenow SAML 2 integration

Douglas E Engert deengert at
Fri Apr 25 08:37:56 EDT 2014

On 4/24/2014 11:16 AM, Christopher Bongaarts wrote:
> On 4/24/2014 11:08 AM, Cantor, Scott wrote:
>> On 4/24/14, 12:04 PM, "Tom Scavo" <trscavo at> wrote:
>>> Nice tip! Could you accomplish the same thing using entity attributes?
>> No, that IdP version is not pluggable in that code.
> You could use entity attributes for the attribute filter, but not for
> the relying-party.

You could do something like this:


    <!-- Service-Now  - wants a nameID  taken from sAMAccountName - 05/15/2013 -->
     <!-- Others may want the same thing, so make it generic -->
     <resolver:AttributeDefinition xsi:type="ad:Simple" id="NameIDsAMAccountName" sourceAttributeID="sAMAccountName">
     <resolver:Dependency ref="myLDAP" />
         <resolver:AttributeEncoder xsi:type="enc:SAML2StringNameID" nameFormat="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" />


     <!-- Some sites (Service-Now) want a NameID to use as a user_name.
          We will release the NameIDsAMAccountName to these sites
          but not the transientId
          - 05/15/2013 -->
     <afp:AttributeFilterPolicy id="releaseNameIDsAMAccountName" >
     <afp:PolicyRequirementRule xsi:type="basic:AttributeRequesterRegex"
          regex="^https://.*[.]service-now[.]com" />
     <afp:AttributeRule attributeID="NameIDsAMAccountName">
         <afp:PermitValueRule xsi:type="basic:ANY" />
     <afp:AttributeRule attributeID="transientId">
         <afp:DenyValueRule xsi:type="basic:ANY" />



  Douglas E. Engert  <DEEngert at>

More information about the users mailing list