Configuration in ServiceNow for Client Credentials Grant Type

The SailPoint Identity Governance connector for ServiceNow supports External OpenID Connect (OIDC) Providers using the Client Credentials grant type. This includes providers such as Okta, Microsoft Entra ID (Azure AD), or ServiceNow’s native OAuth provider.

Perform the following steps to configure the SailPoint Identity Governance connector for the ServiceNow application using the Client Credentials grant type:

  1. Go to System OAuth > Application Registry and open the configuration for your External OIDC Provider. For example, Okta OIDC configuration or Entra ID OIDC configuration.

  2. Enter the Client ID and Client Secret of the application registered in your External OIDC Provider.

    Note
    For Okta, you can use the Audience value of the Authorization Server as the Client ID if required.

  3. Open the OAuth OIDC Provider Configuration preview.

    Note
    The connector validates the received access token in ServiceNow using the OIDC Provider configuration.

    Provide the following details in the OAuth OIDC Provider Configuration for access token validation:

    1. Enter the OIDC Metadata URL, where it returns the OpenID Connect metadata about your authorization server. This information is used to configure connector interaction with Okta or Entra ID. For example,

      • Okta:

        https://{yourOktaDomain.com}/oauth2/{authorizationServerId}/.well-known/openid-configuration

      • Microsoft Entra ID:

        https://login.microsoftonline.com/{tenantId}/v2.0/.well-known/openid-configuration

    2. Update the User Claim and User Field mappings to correlate users and validate access to resource endpoints.

      Note
      The matched user should have the x_sapo_iiq_connect.admin role to execute governance application APIs.

    3. Deselect the Enable JTI claim verification checkbox.

    4. Update the required fields under JWT Claims Validations to validate the received access token based on the policies of your OIDC Provider.

    Note
    If you want to use the Client Credentials grant type for Inbound OAuth by native ServiceNow, refer to Client Credentials grant type for Inbound OAuth. Get the Client ID, Client Secret and Token URL value as per the OAuth Client application created on the ServiceNow instance.