Azure B2C and ServiceNow Integration
Azure Business to Consumer (B2C) provides a self-service user management tool, which applications can authenticate to using OpenID Connect or (with config files) SAML. Users can in turn authenticate using third party social providers like Google, Facebook or any other service that supports OpenID Connect. Authenticating users against a corporate Azure Active Directory (Azure AD) requires using OpenID Connect.
As ServiceNow supports OpenID Connect to authenticate users it can use Azure B2C for supporting user self sign-up and third party social providers.
This tutorial provides the steps to set up a new Azure B2C tenant and ServiceNow connection using the Multi SSO plugin.
Azure
In Azure Portal create a new Azure Active Directory B2C resource:
Create a new B2C tenant (if you do not already have one):
Complete name and location details as needed and add to an
appropriate Resource Group:
Review and create the new B2C.
From the new tenant open Azure AD B2C:
Under User Flows:
Create a New user flow.
Select Sign up and sign in:
And Recommended:
Give the flow a memorable name, as it will be used in URLs
later:
Modify the attributes and token claims as needed. We’ll use
the email address to register users so you need to at least collect
email and pass addresses as an application claim:
You can modify the attributes at any time in the User Flow.
Go back to Azure AD B2C and open App registrations:
Create New registration and give the app a reasonable
name.
Change Supported account types to Accounts in this
organizational directory only:
Redirect URI is your instance URL with /navpage.do:
Click Register.
In the app Overview copy the Application (client) ID:
Click Endpoints:
Note the OpenID Connect well known endpoint:
Replace <policy-name> with your User flow name
e.g. B2C_1_sign_up_sign_in. Access the URL in a Web browser to confirm you have
the right URL:
Under Certificates & secrets:
Create a new Client secret:
And note the secret Value.
You should now have three pieces of information to use in the ServiceNow configuration:
- Application ID
- OpenID Connect Well-known endpoint
- Client Secret value
Offering Azure AD as a Login Option
https://docs.microsoft.com/en-gb/azure/active-directory-b2c/identity-provider-azure-ad-single-tenant?pivots=b2c-user-flow
ServiceNow
If not already installed, install the Integration -
Multiple Provider Single Sign-On Installer plugin (com.snc.integration.sso.multi.installer).
Under SSO properties:
Enable SSO:
Under Identity Providers:
Create a new IdP:
Of type OpenID Connect:
In the Import form populate the information using the
information you captured from the Azure B2C set up:
In your new Identity Provider make it active and a login
option:
There’s a few different ways to handle Single Sign-on, refer
to ServiceNow documentation for what the options will do.
Under the OIDC Entity section open the entity:
Under OAuth Entity Scopes change the OAuth scope:
Important! Modify the scope from openid to:
5c6e2fbc-1a5b-41c0-a63f-b899c567fbf9 openid offline_access profile email
Replace 5c6e2fbc… with your Application ID.
This scope is required to generate an access token, without which ServiceNow will reject the OpenID Connect. The error you would see in the logs is "missing parameter access_token".
Click Update to save the scope changes.
Go back to the Identity Provider. Open the OIDC Provider
Configuration:
Modify the User Claim to emails:
Click Update.
Go back to the Identity Provider.
Enable User Provisioning. In this example I’m using Google
ID Token Example but you may wish to create a new Data Source:
Warning! This will give any B2C user itil role
which is useful for testing, you probably want to use “public” or similar.
Save and open the Google ID Token Example data
source.
Open the Google ID Token Example transform:
In the Field Maps modify email to u_emails_0:
Open your ServiceNow instance and you should now get a B2C
login option:
Click Log in with B2C. Create an account and login.