ServiceNow: Deploying Forcepoint ONE SSE as a SAML IdP

Instructions to setup the ServiceNow app in the Forcepoint ONE SSE portal.

1. First start in your ServiceNow instance portal. You will first need to install the Multiple Provider Single Sign-On Installer plug-in in order to use SSO with ServiceNow. Begin by searching for plugins in the left column and selecting theplugins option under System Definition.
2. In the main screen, you can now search for Multiple Provider Single Sign-On. Install the 2nd option titled Integration - Multiple Provider Single Sign-On Installer (without the Enhanced UI).
   
   
   
3. Now we can switch over to the Forcepoint ONE SSE admin portal and start by adding ServiceNow. Under Protect > Add Apps > Managed Apps, select ServiceNow as the application you wish to add.
   
   
   
4. In the instance dialog, fill out the info as follows:
   1. Provide a name for the instance, and select the domains you wish to add.
   2. Enter the ServiceNow URL in the Instance Name field below.
   3. Enable SAML SSO so we can start to configure the SSO settings. Leave the SAML NameID set to Email as you will be using emails for authentication. Click Ok and then click Save on the application settings page:
      
      
      
      
      
5. Select App SSO: Setup to configure the SSO settings inside of Forcepoint ONE SSE. You will see that the majority of the SSO information is filled out for you. You will need to make some minor setting changes:
   
   
   
   1. Change Single Logout Binding to Post.
   2. Change the NameID field to user.Email.
   3. Check the boxes to Force IdP Authentication and Redirect to URL in RelayState down at the bottom.
   4. Once you are done click Save.
      
      
      
6. Go back to the Protect > Policies page and set ServiceNow to Direct App Access under the Action Column before proceeding to the next steps. Direct Access is required in order to successfully authenticate the SSO setup inside of ServiceNow, applications will not be able to authenticate the setup if you are sending them through the reverse proxy. Once you are done with the full setup, you can then adjust your policy as needed.
   
   
   
7. Now we can navigate back to the ServiceNow setting page and select Setup Web SSO to find the SSO settings we will need to input into ServiceNow.
   
   
   
   1. Download the IdP metadta XML in Option 1 and save it for later (we will upload this into ServiceNow).
   2. In another browser window go back to your ServiceNow admin portal and search for SSO in the left column and then select Identity Providers and click New in the top bar to create a new IdP setup.
      
      
      
      
      
   3. In the Import Identity Provider Metadata dialog select XML and then open up the metadata XML file we downloaded above in step a inside of a text editor and copy the contents and paste it here. Click Import when you're done.
      
      
      
   4. On the Identity Provider page you will see the SSO information configured for you. The only changes you will need to make is select the Default checkbox at the top and then check the box for Encrypt Assertion at the bottom under the Encryption and Signing tab. All other settings can remain default. Click Test Connection in the top right corner.
      
      
      
   5. When you click Test Connection you will be prompted to login with your ServiceNow admin account. Do so and then you should see the test results page summary. Click Activate at the bottom of this page.
      
      
      
      
      
8. With your SSO settings now Active, go to Multi Provider SSO > Administration > Properties in the left column and check Yes for each available option presented. ClickSave when you are done.
   
   
   
9. You have now completed your setup. You can navigate back to your Forcepoint ONE SSE admin portal page and setup or test your policies. Refer to the Configuring proxy policy actions to learn more about available policy actions you can configure.

   As a test example, you can set your policy back to Secure App Access and try to login to ServiceNow and see that it redirects you to Forcepoint ONE SSE (or your IdP) for authentication and then routes you through the proxy (notice the rewritten URL in the second screenshot).