Integrating IdentityIQ with your ServiceNow Service Catalog

Integrating IdentityIQ with your ServiceNow Service Catalog

SailPoint’s ServiceNow Service Portal Integration for IdentityIQ enables SailPoint customers who also use ServiceNow to request and manage access through the Service Catalog – following a familiar workflow for a more seamless experience.

The ServiceNow Service Portal Integration for IdentityNow and IdentityIQ are separate ServiceNow apps available in the ServiceNow store.

 

What’s New?

SailPoint’s ServiceNow Catalog App for IdentityIQ Store Version: 2.4.22 has now been certified compatible for the latest version of ServiceNow Utah.

This is in addition to “SailPoint for Service Desk” Store Version 1.0.8 and “SailPoint Identity Governance Connector” Store Version 1.0.6 which were already certified for Utah version of ServiceNow.

Thus, customers using latest version of SailPoint apps do not require any changes while upgrading to Utah.

  • Version 2.4.22
    • Separation of Duty (SoD) Hard and Soft checks
      • Ability to configure at Admin level for checking for SoD violations. Hard Check will not allow to submit while Soft check will allow to submit with a warning.
    • Search engine performance and scalability improvements
      • Introduce pagination to retrieve data for faster fetching of records.
    • Stabilization and bug-fixes
      • Improvement in user experience while searching and reviewing results search and display usability.
      • Improvement and fixing issues in User Interface and User Experience.
  • Integrating IdentityIQ with ServiceNow Service Catalog is now available in an online format with improved navigation and search.
  • Starting in 2020, SailPoint ServiceNow apps will be distributed exclusively via the ServiceNow store. We’ve streamlined the process so you can install and deploy our apps more easily, following a process that’s familiar to ServiceNow users.
  • Access approvals are now handled by ServiceNow—and securely communicated to your SailPoint platform—so you don’t have to interrupt your workflow and leave the ServiceNow platform.

 

Prerequisites:

  • A supported SailPoint platform: an installation of IdentityIQ that you are authorised to access as an Administrator and supported by SailPoint.

  • A supported version of ServiceNow that you are authorized to access as an Administrator.

  • A source of ServiceNow accounts that SailPoint can load account information from, so each account can be associated with an identity, and access for each identity can be governed.

 

Please refer to this page for supported versions of SailPoint and ServiceNow.

See the attached guide for instructions on integrating ServiceNow Service Catalog with IdentityIQ.

 

The attached .zip file contains the IdentityIQ server components referenced in the instructions for the IdentityIQ integration. The files listed under IIQ v8.1 will also work for IIQ v8.2.

*To avoid null pointer exception, we recommend using the latest IdentityIQ for Service Catalog app from ServiceNow and the IIQ plugin zip file in the attachments below.

Labels (1)
Attachments
Comments

Can these components be persistently customized? Previous versions of these ServiceNow integrations advised customizing the ServiceNow components in some cases.

Hi @drosenbauer – Thank you for the question.

The new SailPoint for Service Catalog integrations offer increased support for a number of functionalities that users have requested in the past such as out-of-the-box support for approvals in ServiceNow. If there are additional capabilities you are looking for, we'd like to hear from you about how we can further improve the integration to meet your requirements in order to identify the best SailPoint team to help you achieve your ServiceNow integration needs.

 

Hello, 

Is there a way we can generate service now ticket per application instead per user? Default implementation generates ticket for each user.

Example: If there are 10 user in 2 application (5 each) certification, service now could only create 2 tickets for 2 application with 5 users in each ticket per application.

Regards,

Amol

 

Hi @amolawari1, thank you for the feedback and suggestion. The SailPoint Service Catalog apps only offer the ability to create a single REQ per user per session. We're very eager to understand the challenges you face with creating a ticket per user versus a ticket per application. I'll reach out for a more direct discussion.

The ServiceNow Service Desk IntegrationConfig based module is now deprecated in 8.0p2.

The ServiceNow Service Desk Integration Module now supports the ServiceNow Orlando release. is this in chapter 4 in SailPoint Integration Guide version 8.0.2? 

we are currently on 8.0p1 using <IntegrationConfig executor="sailpoint.integration.servicenow.ServiceNowIntegrationExecutor" ServiceNowServiceIntegrationModule  to create tickets on access request  , so once we move to 8.0p2 this will not work correct?

Hi @aneesh_paulServiceNow Service Desk IntegrationConfig based module is now deprecated in 8.0p2, but for existing customers, they can continue to usee it in 8.0p2 as well. We encourage you to look for the new ServiceNow ServiceDesk integration module which is being released in 8.0p2 and RestAPI based. You will be having ample time window for this transition and for further details can contact your SailPoint CSM  team.

ServiceNow Orlando release support is for the new ServiceDesk integration module only released in 8.0p2 and not for the old IntegrationConfig based module.

Regards,
Murali

Hi,

Currently, we are in 8.0p2 and we have a requirement

1. When user changes from one department to another we need to generate certification to his Manager. During this process we need to open a ticket in ServiceNow. Manager will take action from the Servicenow, once manager approve/reject in Servicenow provisioning should happen from the Sailpoint. May I know how exactly it can be done and what integration will help in this process?

2. User will request entitlements from the ServiceNow, provisioning need to happen from the Sailpoint. how to achieve? We configured ServiceNow catalog v2 in the ServiceNow. Apart from the endpoints do we need to import any files in Sailpoint or ServiceNow?

Hi,

If an identity has more than one account on application we are not seeing any option on Servicenow side to select which account to provision to ( Similar to account selector in IIQ). How to select the account? Sailpoint seems to pick one of the accounts to provision on its own as of now?

Good day

We are currently testing Paris in ServiceNow. We have SailPoint Service Integration Module installed. If I read this correctly, I have to completely uninstall this, then download the plugins from the ServiceNow store and start all over. Is that correct?

Regards

Scott

Hi @sarthak_chawla_87 , did you get any information on your question, we landed on same situation.

Also, in ServiceNow manage access page, we could see only entitlements and business roles. IT roles and custom roles the we have doesn't show up.

Hi @sangehr, this article is concerning IdentityIQ and IdentityNow for Service Catalog integrations. Your question appears to be about an older version of the SailPoint for Service Desk integration.

Assuming this is correct, then yes you will need to remove the old IntegrationConfig based module as it was deprecated in 8.0p2 and will not be certified for ServiceNow Paris. We encourage you to look for the new ServiceNow ServiceDesk integration module which is was released in 8.0p2 and leverages modern ServiceNow Rest APIs.

If I have misunderstood your question, please reach out for additional assistance.

Regards,

John Elton

Hi @sarthak_chawla_87 and @mvdarlanka, thank you both for your questions concerning the IdentityIQ for Service Catalog integration. Support for multiple accounts tied to a single identify is currently supportable through the integration by having account specific roles available to select. We have identified the need for additional enhancement to better support identities with multiple accounts on the same target system and will evaluate this need for potential inclusion in a future update to the IdentityIQ for Service Catalog integration.

 

Regards,

John Elton

Hi @mvdarlanka, thank you for your question concerning role visibility in the IdentityIQ for Service Catalog integration. IT and business roles that have been marked as being requestable in IdentityIQ should be showing up in the IdentityIQ for Service Catalog integration app on ServiceNow. Support for custom roles is currently under investigation as a possible addition the IdentityIQ for Service Catalog integration roadmap.

Regards,

John Elton

@mvdarlanka  As mentioned by @john_elton  there isn't really a way to get the account selector as of now. 

Hi

Is this doc "ServiceNow Catalog Integration for IIQ_6_23_20.pdf" valid for IIQ 8.0.1?

Hi @mrodrigues

Yes, please note that the relevant prerequisite listed above:

  • A supported SailPoint platform: either an instance of an IdentityNow org with Access Requests enabled, or an installation of IdentityIQ (version 7.3 or later) that you are authorized to access as an Administrator.

Hi @john_elton ,

 

Thank you for providing the support over SNOW integration. I have a different requirement. 

The requirement is, if an identity has 1 or more accounts of different applications is there any possible way to get a single service now ticket on termination of that identity?

Does this work for 8.1p1 as well? The rest jars only go up to 8.0, so I'm curious. It says 7.3 or later, so I would assume so but want to check!

Hello,

I'm currently integrating Service-Now(Version - New York) Portal Integration with IIQ v7.3. I managed to configure the Portal UI and the request items are getting raised in Service-Now and IIQ provisioning is working as expected. But even after IdentityRequest item completes as expected the state of the RequestItem in Service-Now is not getting updated. I ran the Task SP-SPNT-SNOW-INT-ServiceNow-Update-RITM-Status but still the state of the Request Item did not changed even after getting 200 response from Service-Now end points. As a result the Request Item State in Service-Now stuck in "Work in Progress". 

Did anyone else face this issue and what could be a potential fix for this?

 

Regards,

Ankan

@john_elton @dipakroy_p72 @anuj_tyagi 

Dear John,

 

We have few questions about the Service Catalog Module for SailPoint. We are with ServiceNow Orlando and SailPoint IIQ 8.0 P2.

1) ServiceNow Manage Access Request - Once request is submitted, it generates the REQ/RITM on SNOW side, but do not create IdentityRequest on SP IIQ side. Any idea why the Initial Manager Approval/First Level Approval in ServiceNow does not create an approval items on IIQ side?

2) Interactions on IIQ side (approvals - Manager, Entitlement Owner, Application Owner etc) is not reflecting on ServiceNow side. It shows Fulfillment waiting on SailPoint and doesn't have visibility to the approvals on IIQ side

3) Can we have flexibility to approve either on SNOW side or SP IIQ side? And approvals will be visible on both sides? (with Service Catalog Module)

Hi,

We have ServiceNow integrated with ADFS (SAML federation).

We tried the integration but it doesn't work. Any hints on this ?

regards, Roberto

@Ronk0  - We have SAML setup as well and it works for us when we route the URL directly to one of our servers, instead of URL. Not sure if that matters. They ID also needs additional capabilities in IIQ. So I would validate that they have that access.

Hi amy_trisko,

We are reviewing with ServiceNow teams. thanks for your suggestions.

Roberto

@john_elton -

 

Is it possible to modify the SP_SPNT_SNOW_INT_CreateSailpointAccessRequest workflow? We are trying to take out the default manager approval and have created a separate workflow but I don't now where to make an update to use our new workflow instead of the OOTB one.

 

@pmc_securian 

Hi Ankan,

We are on IIQ 8.0 p3 and we found similar issue.

Did you found a fix to solve this now ?

regards, Roberto

@Ronk0 

 

Hi Roberto,

I managed to fix that with SailPoint Support. You need to fix ACLs in your Service-Now environment so that you can update the RITM. I'll suggest get the necessary ACLs and Roles assigned to x_sap_integration.user role shiped with the Service-Now plugin.

 

Regards,

Ankan

@Ankan_Karmakar 

 

Hi Ankan, thanks for your input.

We are reviewing the necessary ACLs and Roles assigned to x_sap_integration.user role.

 

Regards, Roberto

 

Hi Ankan,

At the end we were able to fix ACLs and Roles assigned to x_sap_integration.user.

Thanks for your input,

Roberto

@anustup_paul ,

1) because the wokflow they develop dont create the AR until the manager approved on the  sn side

2) Because this its not developed at all . 

3)No , they do not develope anything . Neither to say that not even teh account correlation works . 

 

 

Hey @john_elton and @kelly_wells 

You guys should update  the setup configuration or put a note on it .

 

If you're using custom attributes for correlationg you need to put "attributes.NameOfTheAttribute" , if not , it's not going to work . 

 

what regard the workflow , you should also say it respects the IDN approvers.

 

regards

Hi iobeidi,

 

Thank you for the feedback. I'll be reaching out directly to discuss this in more depth.

 

Best Regards,

John Elton, Senior Product Manager at SailPoint

Hi

I'm trying to see if I can have just a Catalog Item, which integrates with IdentityIQ and let's the user request roles defined in IIQ. I don't want any new items on the portals landing page since we have customized it. So is the Catalog Item that comes with the App depending on something else, or can it be used independently as any other Catalog Item in our portal?

Hi,

Finally the partner was able to place the pieces to complete the puzzle

At the moment,the integration works in this ways:

1.  A user logon to Snow and open a Service Request (provided bu the add-on) to add/remove a role or a grant managed by Sailpoint on a specific target. 

2. A user must logon to Sailpoint web interface and approve this change.

3. Sailpoint updates the identity warehouse based on action taken on point 2.

*** BUT NOTHING REALLY HAPPEN AT THE TARGET SYSTEM WITOUTH RUNINNG AN IDENTITY REFRESH ... so ***

4. A user must go to Task , select the Identity Refresh and propagate changes downstream to the target ...

so, for UX side

- first user go to Snow to open a ticket

- second user one go to to Sailpoint and approve it

- thrid user go and run the task to get the thinghs finally done !

This doesn't make sense in a real word to !

AT least if you don't want to get people really upset, and I don't want mine colleagues to get in this state. 

Anyone as solved this ? Basically run step 4 AUTOMATICALLY after step 3 !

 

regards, Roberto

Hi @mortenSNOW,

The IdentityIQ for Service Catalog integration is built to provide a more comprehensive experience than just requests out of the ServiceNow Service Catalog by leveraging the existing configuration on IdentityIQ to provide the ability to request roles and entitlements without having to configure each application individually in the ServiceNow Service Catalog. In addition, the app also provides options for sunrise/sunset requests and separation of duty checks at the time of the request. This functionality is enabled by the use of the SailPoint app. While there are other options for triggering direct requests for individual catalog items from within ServiceNow, we feel strongly that the app best serves the self-service use case that it was designed for. If you would like to discuss more about the future of the integration and how we are working to deliver against your use case as well, let your SailPoint Customer Success Manager know.

Best Regards,

John Elton, Senior Product Manager at SailPoint

Hi @Ronk0,

The Service Catalog integration is designed to automate the request out of ServiceNow and update the ticket status in ServiceNow as the request is fulfilled. Based on the description you've provided, I recommend opening a support ticket to validate that your implementation is working as intended.

Best Regards,

John Elton, Senior Product Manager at SailPoint

Hi @john_elton 

Thanks for your reply.

I already open a ticket at Support. The answer is that this is a something that could be achieved involving SP Professional Services.

This is not what was expected by us, because none mentioned this extra $$$ to complete the integration.

I will raise up the ticket.

best regards, Roberto 

Hi @Ronk0

I would like to learn more about your specific use case. I will reach out through your customer success manager to set up a call.

Best Regards,

John Elton, Senior Product Manager at SailPoint

Hi @Ronk0 

You can modify the workflow that processes the request and approvals (i.e. LCM Provisioning) to add a step to run the task automatically if the request has been approved. Either that or schedule that task to run more frequently so that there is a shorter delay in processing.

Here is more info on how to do that:
https://community.sailpoint.com/t5/IdentityIQ-Wiki/Running-a-Task-from-a-Rule-or-Workflow/ta-p/71547

Hope this helps.

Hi @john_elton , @kaveh_ahmadian 

Thanks for the replies.

We are quite busy on other streams to complete before end-of-year.

Shortly after, I will check suggestions.

regards, Roberto

Hi @kelly_wells 

The link to identityiqforservicenowcatalog_iiqcomponents_v2.3.zip/ doesn't appear to be matched with any file. Could someone please check and confirm?

Hi @dklaassen - We're sorry for the frustration and we thank you for bringing this issue to our attention. The download link for the zip file should work now.

 

Best Regards,

John Elton, Senior Product Manager at SailPoint

Second confirm on dklaassen that the documentation for http://identityiqforservicenowcatalog_iiqcomponents_v2.3.zip/' does not resolve for a download. Can it be reset for download or is it different from linked data on ServiceNow's Store

@stvcornett It looks like you are attempting to convert the actual .zip download into a URL, which will not work. 

Please click the download icon that is provided (after the file name) in the Attachments section above, as that appears to working correctly.

If you hover over that icon with your mouse, you can see the actual path to the .zip file.

 

Thx Kelly - I did and I'm seeing the 'Failed no file error' (see shot below). 

 

However - your link works!

 

Thx for responding

 

stvcornett_0-1610720275268.png

 

Hello,

As we are trying to implement LifeCycle Management in IdentityIQ and as a part of requirements we would like to integrate with ServiceNow for UI i.e submitting requests in ServiceNow which would trigger workflows in IIQ. I see that there are few options available for integration with SNOW's Service Catalog to leverage Manage User Access.
We are also interested in the following:
If the custom forms or quicklinks developed in IIQ can be accessed from SNOW.
If Role Management can done using SNOW's Service Catalog.
How does the approval process work - i.e will the workitems generated in IIQ can be accessed in SNOW.
Can Advanced Analytics can be leveraged in SNOW.
Can the Identity Warehouse be leveraged in SNOW.
Can the Entitlement Catalog be leveraged in SNOW.
How does the Workgroup management be a part of SNOW i.e if we want a specific workgroup to be a part of approvers for certain request.

Thanks,
Manoj

Is there a way to verify if the Load demo data option was checked during installation? How can I check the endpoint data is loaded?

Thank you!

@mescobar - Thank you for your interest. High level, the answer is that you'd have to manually validate the individual settings that are configured when demo data is loaded. I am confirming this answer right now and will come back here with an update.

The required installation step to Load demo data creates “links” data. After installation, this data can be checked by follwing the following steps:

  1. Log in to the ServiceNow Portal using valid Administrator credentials.
  2. Navigate to SailPoint IdentityIQ for Service Catalog > IdentityIQ Links.
  3. Make sure the links (REST Endpoints) are loaded.

image004.jpg

If the links are loaded, then the installation is good. If the links data is empty then it means that during the installation the “Load demo data” option is not selected.

Hi,

Can you please clarify below items:

-Is it possible to access custom quicklink & forms developed at SailPoint using catalog integration?

-Or can we customize the request access form as per the requirement?

-Do we have only default manager approval level configured at SNOW or is it possible to configure it as per the requirement?

 

Thanks in advance.

Regards,

Rahul

 

Sailpoint recommends a mid server to assist with this integration.  Since our IIQ installation is in house does the mid server need to be accessible externally to Service-Now can communicate with it?

Hi @kevin_rock , thank you for your question and interest. The section Configuring ServiceNow that begins on Page 4 of the ServiceNow Catalog Integration for IIQ_v2.3 guide provides links to the ServiceNow page covering Best Practices for MID Server setup and tuning. ServiceNow's best practices guide says

Security: Communication between the MID Server and the ServiceNow instance is always initiated by the MID Server. That lets you locate your MID Servers inside secure zones without the need to open up security rules to allow access from outside.

SailPoint recommends familiarity with the ServiceNow MID Server component since it is a prerequisite for the app to maintain connection with IdentityIQ through the ServiceNow MID Server.

 

Best Regards,

John Elton

Senior Product Manager, Connectivity

SailPoint Product Management

Version history
Revision #:
70 of 70
Last update:
‎Apr 09, 2023 11:46 PM
Updated by: