Integrating IdentityIQ with Your ServiceNow Service Catalog

Integrating IdentityIQ with Your ServiceNow Service Catalog

SailPoint’s ServiceNow Service Portal Integration for IdentityIQ enables SailPoint customers who also use ServiceNow to request and manage access through the Service Catalog – following a familiar workflow for a more seamless experience.

The ServiceNow Service Portal Integration for IdentityNow and IdentityIQ are separate ServiceNow apps available in the ServiceNow store.

What’s New?

  • Integrating IdentityIQ with ServiceNow Service Catalog is now available in an online format with improved navigation and search. 
  • Starting in 2020, SailPoint ServiceNow apps will be distributed exclusively via the ServiceNow store. We’ve streamlined the process so you can install and deploy our apps more easily, following a process that’s familiar to ServiceNow users.
  • Access approvals are now handled by ServiceNow—and securely communicated to your SailPoint platform—so you don’t have to interrupt your workflow and leave the ServiceNow platform.

PREREQUISITES:

  • A supported SailPoint platform: an installation of IdentityIQ that you are authorised to access as an Administrator and supported by SailPoint.

  • A supported version of ServiceNow that you are authorized to access as an Administrator.

  • A source of ServiceNow accounts that SailPoint can load account information from, so each account can be associated with an identity, and access for each identity can be governed.

Please refer to this page for supported versions of SailPoint and ServiceNow.

See the attached guide for instructions on integrating ServiceNow Service Catalog with IdentityIQ.


The attached .zip file contains the IdentityIQ server components referenced in the instructions for the IdentityIQ integration. The files listed under IIQ V8.1 will also work for IIQ V8.2.

*To avoid null pointer exception, we recommend using the latest IdentityIQ for Service Catalog app from ServiceNow and the IIQ plugin zip file in the attachments below.

Attachments
Comments

@john_elton , any updates on the below module? 

--We have identified the need for additional enhancement to better support identities with multiple accounts on the same target system and will evaluate this need for potential inclusion in a future update to the IdentityIQ for Service Catalog integration.

@rahuls5 - did you get any more info on your question "Do we have only default manager approval level configured at SNOW or is it possible to configure it as per the requirement?"

Thank you,

Shail

does the servicenow catalog integration support IdentityIQ scoping rules? we did some testing and thought yes it did, but now its not working!

Does ServiceNow service catalog integration provides capability to create identities in target system like Active Directory or database ?

Thanks.

 

 

 

 

On the Service Now side the latest catalog version released is 2.4.7. Currently the latest version of the SNOW catalog on the SailPoint side code is 2.4.4. I have been told by SailPoint support the two versions are compatible. Note that not all versions are compatible (SNOW side 2.4.4 and SailPoint side 2.4.1 will cause NPEs).

@accentureMark I have confirmed that the latest app v2.4.7 is compatible with the IIQ plugin v2.4.4. I have added an update to this post with a recommendation to use app v2.4.7 with the plugin v2.4.4 zip file to avoid null pointer exception. Thank you.

Is is possible to elaborate this prerequisite:


A source of ServiceNow accounts that SailPoint can load account information from, so each account can be associated with an identity, and access for each identity can be governed.

What is the actual requirement here? Is it sufficient for identities to simply "match" (based on identity attributes specified in the SNow configuration page) or is it more? Is the ServiceNow Connector required, and if so, do identities simply need to be correlated (like, have a link), or more than that?

regards
David

Does the v2.4.11 release still require the custom JAR? It is no longer mentioned in the documentation, but is still present in the artefact ZIP.

@john_elton Can you Please help us, we are trying to configure IdentityIQ Integration with serviceNow using ServiceNow Service Catalog approach in IdentityIQ Version 8.1. But the catalog update which is required to do this integration is not available at below path 'C:\IIQ Installation\identityiq-8.1\integration' in 8.1 IdentityIQ Version, No folder is available for 'servicenow' which contains this update set. but in 8.0 version it is present under the path 'C:\IIQ Installation\identityiq-8.0\integration\servicenow\iiqIntegration-ServiceNow.zip\ServiceCatalogUpdateSet'. 

I can understand with the above post that ServiceNow Service Catalog approach is supported after 7.3 and hence in 8.1 version also.

Could you Please let us know why this update set is not present in 8.1 zip file, if this approach is supported , please share that update set for 8.1 version with us.

Thank You!

I have a question about Catalog integration.  We are using 8.0 P3 in one of our clients, we have forms created to onboard consultants within IdentityIQ.  Now when we integrate IdentityIQ and ServiceNow catalog, can the Consultant onboarding form be accessible within ServiceNow so that users can submit the form and once submitted, IdentityIQ provisions the identity?

Thank you

Naveen

Custom forms are currently not supported in the Service Catalog however we are looking to address this as part of our “extensibility” roadmap item sometime in Q4.


Regards,

Upcoming out of office notice: September 23rd, Thursday – September 24th, Friday

Joey Lee
Senior Product Manager
[https://i.xink.io/Images/Get/N9791/s4.png]<>
joey.lee@sailpoint.com
Join the #SailPointCrew<>

[https://i.xink.io/Images/Get/N9791/s9.jpg]<>

Do we have to update all the components on IIQ side when we update the app version in SNOW?

It appears to SNOW Catalog integration makes all entitlements requestable by default.  Is there a way to configure to leverage the IIQ entitlement catalog which is restricting what we want to be requestable?

Echoing @davidloone comment on v2.4.11 documentation.  When comparing to v2.4.1 of the doc, it seems the Prerequisite portion of the "Configuring SailPoint for Integration" section was moved to the beginning of the doc with the rest of SailPoint configuration content removed. Without referencing v2.4.1, which is no longer posted here, there are significant gaps which make the user rely on assumptions and reverse engineering.

Can we assume the missing content is still applicable? 

I suggest having a technical writer review the documentation from the perspective of someone performing this integration for the first time and edit accordingly.

vb1

We are looking to integrate ServiceNow Paris with SailPoint IIQ 8.0P3 as part of ServiceNow Catalog integration. Based on the post made by @joey_lee on July 15, it appears ServiceNow app 2.4.7 is compatible with IIQ plugin v2.4.4. I am finding documentation (PDF) for v2.4.4 and unable to find it. Would someone share the link to the PDF.

Thanks for the help

vb1

@joey_lee , @kelly_wells , @john_elton - Kindly suggest insights on below

 

We are looking to integrate ServiceNow Paris with SailPoint IIQ 8.0P3 as part of ServiceNow Catalog integration. Based on the post made by @joey_lee on July 15, it appears ServiceNow app 2.4.7 is compatible with IIQ plugin v2.4.4 (without Null Pointer Exception). I am unable to find plugin downloads and documentation (PDF) for v2.4.4.  Please share the link to the PDF and software ZIP. Appreciate the help.

Thank you.

 

We discovered that ServiceNow does not support Scoping of Roles. That means all available "Business Roles" are visible to the ServiceNow User compare to Manage Access -> Manage User Access in IdentityIQ where it is possible to limit the Roles a Requestor can see based on the Scope of the Business Roles.

Is it necessary to configure Scoping using Gear Icon -> Global Settings -> Quicklink Populations for a special "ServiceNow" population that does not exist by default or is Scoping in ServiceNow currently not available?

There is nothing mentioned in the Connector Documentation https://community.sailpoint.com/t5/Connector-Directory/Integrating-IdentityIQ-with-Your-ServiceNow-S...

The user @phebe_waterfield mentioned a similar problem here https://community.sailpoint.com/t5/Connector-Directory/Integrating-IdentityIQ-with-Your-ServiceNow-S... 

We never got any confirmation that it was not supported, but it doesn't seem to be. We used advanced policy to meet our requirements instead.



**********************************************************************
The information in this email is confidential and may be legally privileged. It is intended solely for the addressee. Access to this email by anyone else is unauthorized. If you are not the intended recipient, any disclosure, copying, distribution or any action taken or omitted to be taken in reliance on it, is prohibited and may be unlawful. When addressed to our clients any opinions or advice contained in this email are subject to the terms and conditions expressed in the governing KPMG client engagement letter.
***********************************************************************

@phebe_waterfield thanks for the info. Is "Advanced Policy" a ServiceNow feature?

vb1

We integrated IdentityIQ 8.0 with ServiceNow Paris version for the ServiceNow Service Catalog integration. With the OOTB integration, we have below questions.  Has anyone have similar questions and whether it is supported OOTB or does it require customization that is supported

1. On home page, is there a way to display the items as list instead of tiles.
2. Can the look and feel (css and color standards).
3. Can description be added to the results from the search.
4. What fields are searched when performing a keyword search via search access field.
5. Can the results be extended to more than three rows? Currently, it shows in 3 rows and we have to go to next page for next set of groups.

In addition, @kelly_wells , @joey_lee - Kindly share insights. 

Hello @john_elton  We are migrating SailPoint IIQ application from 7.3P4 to 8.1P3 and moving Integrationconfig based ServiceNow to application based integration as mentioned in https://community.sailpoint.com/t5/IdentityIQ-Connectors/IT-Service-Management-Infrastructure-Module...

We are currently leveraging only "SailPoint for Service Desk" module where user submits access request in SailPoint IIQ as the front end, approvals are handled within IIQ and ServiceNow Incidents are created.   If user selects multiple entitlements of different applications, the keys multipleTicket and groupTicketBy are used to create Incidents per “Application” , however it looks like these keys are not supported with the application based integration.  What are the current options available to create "incident" ticket type per application instead of user as the ServiceNow incident handling team is different for each application.

What is supportability of the solution for 8.2 version of IIQ?

In last files (2.4.17) highest explicitly mentioned version is 8.1, are files applicable for 8.2 as well?

Hi @john_elton 
We have a requirement to integrate SailPoint with ServiceNow Service Desk Integration to create service requests for disconnected aplications.

We are working on SailPoint IIQ 8.1 patch 2 and ServiceNow version is Rome. For that Is it mandatory to configure the IdentityIQforServiceNowCatalog_IIQComponents_v2.4.17 /IIQ V8.1 objects mentioned as an attachment in this article?

Hi,

IdentityIQforServiceNowCatalog_IIQComponents_v2.4.17 will support the IIQ 8.2 P1 ?

HI @talbright did you find a solution for your question? All the entitlements/roles are requestable and there is no way to change it?

Hi @nibanez I did not as of yet. 

On IIQ 8.1p2, when importing: IIQ V8.1\Workflow\SP_SPNT_SNOW_INT_AutoApproveServiceNowRequest.xml

I'm getting:

java.lang.RuntimeException: Line: 147 Column:38: The entity name must immediately follow the '&' in the entity reference.
2022-02-02T17:28:51,121 ERROR main sailpoint.tools.Console:556 - Line: 147 Column:38: The entity name must immediately follow the '&' in the entity reference.
java.lang.RuntimeException: Line: 147 Column:38: The entity name must immediately follow the '&' in the entity reference.
at sailpoint.tools.XmlParser.parse(XmlParser.java:361) ~[identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.tools.XmlUtil.parse(XmlUtil.java:92) ~[identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.server.Importer.importXml(Importer.java:376) ~[identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.server.Importer.importXml(Importer.java:332) ~[identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.server.SailPointConsole.cmdImport(SailPointConsole.java:2006) ~[identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at sailpoint.tools.Console.callMethod(Console.java:871) ~[identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.tools.Console.executeCommand(Console.java:605) ~[identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.tools.Console.doCommand(Console.java:548) [identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.tools.Console.interactiveCommand(Console.java:416) [identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.tools.Console.interactiveConsole(Console.java:356) [identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.tools.Console.run(Console.java:91) [identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.server.SailPointConsole.run(SailPointConsole.java:675) [identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at sailpoint.server.SailPointConsole.main(SailPointConsole.java:598) [identityiq.jar:8.1 Build 573234b5be3-20201216-122000]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) ~[?:?]
at jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) ~[?:?]
at jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) ~[?:?]
at java.lang.reflect.Method.invoke(Method.java:566) ~[?:?]
at sailpoint.launch.Launcher.main(Launcher.java:247) [identityiq.jar:8.1 Build 573234b5be3-20201216-122000]

Hi @trevorg

The same thing happened to me, you have to search inside the file and look for all the & and you will see that there are several "& amp;" you have to remove the space there, you will be left with "&amp;".

@davidloone , I'm stuck with same question you have. Did you manage to get what the pre-requisite mean?  (

  • A source of ServiceNow accounts that SailPoint can load account information from, so each account can be associated with an identity, and access for each identity can be governed.

). Please help me with the details if you know

@sangavay the answer is that there is no formal requirement for ServiceNow Governance Connector. The identities in ServiceNow simply need to match using the named identity attributes, and have appropriate manager attributes (for the approval flow).

@john_elton  Is there an optimal way to present users in ServiceNow interface with form to fill additional parameters for certain application requests during submission as in the case of native IIQ UI?

As of now with this IIQ for ServiceNow catalog integration app, the requests fails if there is a mandatory parameter required as part of provisioning without presenting an option to the user.

How to restrict the role types in 2.4.20 version? Its not working even though we specified in the SailPoint Identity IQ Role Types. Also, the filter option is not working as expected. Anything that we need to enable separately?

 

 

Hi,

Do we need to request for a separate license for integrating IdentityIQ with ServiceNow Service Catalog? Also, is there any documentation available for integration with IdentityIQ 8.2?

Please let me know if there are any details around this.

Thank you!

@kelly_wells  @joey_lee @drosenbauer @john_elton 

I have setup Catalog in my DEV environment and just started testing and realized processing speed is too slow after submitting an access request. I remember reading about improving the speed but cannot find that article anymore, request to help me with this issue please.

Hi Team, Is any facing the similar issue, I am seeing this after placing the request in service now.

 

Typed variable declaration : Class: HttpClient not found in namespace : at Line: 146 : in file: inline evaluation of: `` import sailpoint.object.IdentityRequest; import sailpoint.api.SailPoint . . . '' : HttpClient

SP_SPNT_SNOW_INT_ServiceNow_Task_Rule.

Thanks in advance,

Revanth.

Version history
Revision #:
64 of 64
Last update:
Wednesday
Updated by: