Configuring IdentityIQ to Integrate with ServiceNow

This section provides the required information for configuring IdentityIQ to integrate with ServiceNow.

This is intended as an introduction to the configuration needed to integrate IdentityIQ with ServiceNow. It outlines some examples that must be used as a reference point for implementation. Some changes may be required to meet specific use case and expertise around both systems are a must for the successful implementations.

SailPoint provides a default ServiceNow configuration. This configuration implements the integration between IdentityIQ and the ServiceNow to fulfill creation of tickets based on IdentityIQ access certification remediation events.

The default configuration is located in the following directory, where iiqHome is the location where IdentityIQ was installed:

iiqHome/WEB-INF/config/connector/IdentityIQforServiceNowServiceDesk.xml

The configuration must include the following entries:

The base URL of Service Desk System.

For example, https://host.service-now.com

Authentication method that is supported by the managed system

  • OAuth2

  • Basic

The application name by which ServiceNow account are aggregated. Required for Plan Initializer script.

Enter one of the following ticket type to generate ticket on Service Desk system:

  • serviceRequest

  • incident

  • changeRequest

Applicable if authenticationType is selected as Basic

Service Account username. Required when authenticationType is Basic.

Service Account user password. Required when authenticationType is Basic

Applicable if authenticationType is selected as OAuth2

URL for generating access token.

For example, https://host.service-now.com/oauth_token.do

For more information on generating the access token, refer to Create an endpoint for clients to access the instance.

Enter the following type of Grant:

REFRESH_TOKEN

or

PASSWORD

Client Id for OAuth2 authentication.

Client secret for OAuth2 authentication.

(Applicable if grant_type is selected as REFRESH_TOKEN) A valid refresh token for grant type authentication.

(Applicable if grant_type is selected as PASSWORD) Service Account username.

(Applicable if grant_type is selected as PASSWORD) Service Account user password.

The Application Configuration XML should have all configurations for Service Request, Incidents and Change modules. Depending on the type of selection for ticketType, respective configuration would be executed by connector for the request processing.

Each module would have provision and checkStatus entries as mentioned below:

Provision:

Entries

Description

resource

Ticket creation REST endpoint. Do not provide the base URL in the value. The system automatically appends the base URL to the endpoint value. Only provide the remaining endpoint URL.

ServiceNow: /api/x_sap_sdim/sailpoint_cart_js_api/create_ticket

catalogItem

(For Service Request only) Map that provides the key value pair of managed application names and catalog item IDs.

responseElement*

The value is the JSON path expression, which provides information about where to find the ticket number in the response from the REST endpoint. For example,

For REQ: <entry key="responseElement" value="$.result.request_number"/>

For RITM: <entry key="responseElement" value="$.result.items"/>

 

requestObject

The value represents the JSON root element in the request.

request

Map that represents request payload, which has a velocity template expression and velocity variables that dynamically update by integration before making the REST call. For example,

For RITM: <entry key="track_ritm" value="true" />
Check Status:

Entries

Description

closeNotes

This parameter defines from which ServiceNow ticket field resolution comments will be fetched as close notes into the IdentityIQ. For example, <entry key="closeNotes" value="$.result[0].close_notes"/>

resource

Ticket creation RESTendpoint. Do not provide the base URL in the value. The system automatically appends the base URL to the endpoint value. Only provide the remaining endpoint URL. For example,

For REQ: <entry key="resource" value="/api/now/table/sc_request" />

For RITM: <entry key="resource" value="/api/now/table/sc_req_item" />

 

checkStatusQueryParam

Map that provides any query parameters needed for RESTcall. For example,

For REQ: <entry key="sysparm_fields" value="request_state" />

For RITM: <entry key="sysparm_fields" value="state" />

 

responseElement*

The value is JSON path expression which provides information about where to find ticket number in the response from REST endpoint. For example,

For REQ: <entry key="responseElement" value="$.result[0].request_state"/>

For RITM: <entry key="responseElement" value="$.result[0].state"/>

statusMap

Map that relates Ticket System status to IdentityIQ status.

statusMapCloserCode

Map that relates Ticket System status to IdentityIQ status.

This field has higher precedence over status map.

If any changes required in the mapping, change the default value/key values in statusMap and statusMapCloserCode as mentioned in the following tables:

statusMap for Service Request to track REQ ticket

Entry key (ServiceNow)

Value (IdentityIQ)

closed_cancelled

Failed

closed_complete

Committed

closed_incomplete

Failed

closed_rejected

Failed

in_process

Queued

requested

Queued

closed_skipped

Failed
statusMap for Service Request to track RITM ticket

Entry key (ServiceNow)

Value (IdentityIQ)

-5

Queued

1

Queued

2

Queued

3

Committed

4

Failed

7

Failed
statusMap and statusMapCloserCode for Incident

Entry key (ServiceNow)

Values (IdentityIQ)

statusMap

1

Queued

2

Queued

3

Queued

6

Committed

7

Committed

8

Failed

statusMapCloserCode

Solved (Work Around)

Committed

Solved (Permanently)

Committed

Solved Remotely (Work Around)

Committed

Solved Remotely (Permanently)

Committed

Closed/Resolved by Caller

Committed

Not Solved (Not Reproducible)

Failed

Not Solved (Too Costly)

Failed

Duplicate

Failed

Known error

Failed

No resolution provided

Failed

Resolved by caller

Committed

Resolved by change

Committed

Resolved by problem

Committed

Resolved by request

Committed

Solution provided

Committed

Workaround provided

Committed

User error

Failed
statusMap for Change Request

Entry key (ServiceNow)

Value (IdentityIQ)

-1

Queued

-2

Queued

-3

Queued

-4

Queued

-5

Queued

0

Queued

3

Committed

4

Failed

Once the configuration information is populated then import the IdentityIQforServiceNowServiceDesk.xml file to create an application.

Managed Resources

You can manage the IdentityIQ applications through the ServiceNow Service Desk. To manage the applications, you need to add them individually as a ManagedResource under the ProvisioningConfig tag provided in the IdentityIQforServiceNowServiceDesk.xml file.

For example, to add three applications such as Procurement_System, HR_System, and Finance_System, add them individually as a ManagedResource as shown below:

<ProvisioningConfig>

<ManagedResource>

<ApplicationRef>

<Reference class="sailpoint.object.Application" name="Procurement_System" />

</ApplicationRef>

</ManagedResource>

<ManagedResource>

<ApplicationRef>

<Reference class="sailpoint.object.Application" name="HR_System" />

</ApplicationRef>

</ManagedResource>

<ManagedResource>

<ApplicationRef>

<Reference class="sailpoint.object.Application" name="Finance_System" />

</ApplicationRef>

</ManagedResource>

<PlanInitializerScript>

......................

......................

</PlanInitializerScript>

</ProvisioningConfig>