Configuring Connection Parameters
SailPoint Identity Security Cloud and ServiceNow need to be configured for the connection to enable the exchange of seamless data. SailPoint uses the industry standard OAuth 2.0 framework’s following grant types: Client Credentials and Authorization Code.
This page lists the possible grant types, and the following pages give step by step instructions for the admins. One of these methods must be chosen for the connection based on your organization's preference.
The client credentials method connects ServiceNow to SailPoint with one specific service account. All ServiceNow users use this preconfigured account when signing in as an Identity Security Cloud user. All access requests are made from the ServiceNow Service Catalog app, and are generated on behalf of one specific service account user in SailPoint.
This service account user must have the ORG_ADMIN role that allows to call the REST API endpoints without any consideration for limitation of authorization. The features related to limitation of authorization are programmatically controlled in the app.
Identity Security Cloud considers the source of all interactions with ServiceNow as the service account. For example, the requester name in Identity Security Cloud will show as Service Account and not the user who initiated the request in ServiceNow. Traceability of the request to the user requires additional steps. ServiceNow users have seamless authorization using the SailPoint app on ServiceNow, while connected to Identity Security Cloud.
The authorization code method connects ServiceNow to Identity Security Cloud after authentication of the logged in ServiceNow user via the OAuth server. In this case, Identity Security Cloud is logged in via the actual user and not the service account. Identity Security Cloud requests are raised using real Identity Security Cloud users.
ServiceNow users will see an authorization prompt when using this option in ServiceNow. You can configure the frequency of the prompt to be shown only once or multiple times. Requests via ServiceNow are based on settings in SailPoint, therefore, the ability to request for others depends on privileges of that specific user in Identity Security Cloud.
Note
-
There are some minor feature differences between the two connection methods especially related to transfer of variables across the systems.
- The
ApproveandRejectrequests made under the IDN Workflow approval type are handled by client credentials rather than the real user, therefore the display of the IDN values will be as per client credentials.