In recent years ServiceNow has been established as the best tool to manage processes, services, or infrastructure and is designed on ITIL guidelines. Named as the most innovative company by Forbes in 2018. ServiceNow operates in SaaS (software as a service) model constantly improving the platform. In this article you can find more information about integration with Active Directory using LDAP.
Users and Groups
Following ServiceNow documentation: “A group is a set of users who share a common purpose. Members of groups perform tasks such as approving change requests, resolving incidents, receiving email notifications, or performing change request tasks. Assign every user to at least one group.
A good practice is to assign roles to groups rather than to users. Administrators can assign roles quickly to multiple users by adding the users to the group. If a user moves to another group, the role assigned to the new group is applied automatically. “
The user is simply an individual who can access the ServiceNow instance.
LDAP
There are many ways to manage users and groups in ServiceNow and one of them is integration with Active Directory through LDAP.
LDAP (Lightweight directory access protocol) is an open, vendor-neutral application protocol for accessing and maintaining data that are stored in directories. Using this protocol, we can query the company Active Directory to get necessary user and group information for our instance. In this article, we will be using one of the publicly available LDAP testing servers.
SETUP
First, we need to add a new LDAP server. We can do it by filtering System LDAP in the navigator and opening Create New Server module.
By default, ServiceNow will create some out-of-the-box OU (Organizational Unit as per Active Directory) definitions:
However, we will need to adjust those definitions on filter since we are using a test server configured slightly differently than the corporate Active Directory. For Groups, we will be using “cn” as the query field and we need to filter “objectClass” for “groupOfUniqueNames”.
You can click Browse in related links to check what will be retrieved with your query:
The same changes need to be applied to User OU Definition similar to groups the query field we will be using “cn” but we need to filter objectClass for “person”.
Once we are sure that we will receive all necessary data from LDAP for users and groups we can start adjusting the transform map that was created by ServiceNow. We can comment on script actions as there is no manager set in this setup. However, in corporate use cases ldapUtils script include is helpful – you can read more about it in product documentation Product Documentation (Common LDAP Scripts).
Once we are done with the field mapping, we need to take a look at the transform scripts – especially the onAfter script which is responsible for adding members to ServiceNow groups. As you can see commented line allows to set up a different field than “member” which is the default field holding information about group members. In our case, we need to uncomment this line and add “u uniquemember” as our group members’ field because that’s how our source LDAP server is configured to store this data.
Analogically we need to adjust field mapping for user transform.
Finally, we can test it out by loading all records and running transform on the import set. Please bear in mind that loading all records might cause some troubles in case you receive too many records, I recommend “Test Load 20 records” at first to make sure that the received data is what you need.
Now we are sure that both data sources are correct, and we receive only necessary data – we want to run user transform first:
Then we can run group import to load all necessary groups and map their members:
If you open one of the referenced target records, you can see that we successfully added all members that should belong to this group.
Summary
As you can see ServiceNow helps with many topics throughout the integration process by creating necessary artifacts such as data sources, OU definitions, transform maps, or import set tables however configuring queries and filters might be tricky sometimes. I suggest to firstly build a filter using powershell or in AD Users & Computers (you can also ask for help your AD admin). You can read more about filters here. Understanding the organizational units is also a crucial part of LDAP integration and I strongly recommend going through the documentation as well.
Additional resources
For more information on integration, see the resources below:
