ServiceNow Onboarding
This guide outlines the steps required to connect your ServiceNow instance to SailPoint Entro. The integration operates in read-only mode, using a ServiceNow API Access Token to authenticate through the Table API and Attachment API.
Prerequisites
Before starting the onboarding process, ensure you have:
-
ServiceNow Admin permissions
-
Access to the System Web Services and User Administration modules
-
An active Worker Group (Connector) in SailPoint Entro
-
The ServiceNow domain URL (e.g.,
https://<yourDomain>.service-now.com)
Complete the following:
-
Create an Inbound Authentication Profile
In ServiceNow, navigate to: All → System Web Services → API Access Policies → Inbound Authentication Profiles
-
Click New.
-
Choose Create API Key Authentication Profile.
-
Enter a name for the profile.
-
Click the lock icon to open Auth Parameter selection.
-
Click on the magnifying glass and select the parameter that corresponds to the Auth Header
-
Click Submit.
-
-
Create an Integration User
-
Navigate to: All → User Administration → Users
-
Click New.
-
Fill in User ID and optional details.
-
Mark the user as Active and Internal Integration User.
-
Click Submit.
-
In the Roles tab, click Edit... and add the following roles:
-
itil -
snc_read_only -
personalize_dictionary- optional (allows access to scan custom tables)
-
-
Note
Note: Scanning custom tables may require additional roles per table. Consult your ServiceNow admin or SailPoint Entro Support for further assistance.
-
-
Create REST API Auth Scopes
-
Navigate to: All → System Web Services → API Auth Scopes → REST API Auth Scope
-
Click New and create the first scope for the Table API:
-
REST API: Table API
-
Auth Scope: create new
entro-auth-scope -
Uncheck Apply auth scope to all HTTP methods
-
Click Submit
-
-
Repeat for the Attachment API:
-
REST API: Attachment API
-
Auth Scope: select
entro-auth-scopecreated earlier -
Click Submit
-
-
-
-
Create an API Access Token
-
Navigate to: All → System Web Services → API Access Policies → REST API Key
-
Click New.
-
Enter a name for the API key.
-
Assign the Integration User created earlier.
-
Select the
entro-auth-scopefrom the previous step. -
Click Submit.
-
Reopen the created API Key and click the lock icon next to Token.
-
Copy the token and store it securely.
-
-
-
Create REST API Access Policies
-
Navigate to: All → System Web Services → REST API Access Policies
-
Create a new policy for the Table API:
-
REST API: Table API
-
Uncheck Apply to all methods
-
Under Inbound Authentication Profiles, select the profile from Step 1
-
Click Submit
-
-
Repeat for the Attachment API, following the same process.
If users/integrations are using Basic Auth consider doing the following to avoid login issues
-
-
Create BasicAuth Authentication Profile:
-
Go to All → System Web Services → API Access Policies → Inbound Authentication Profiles
-
Select New
-
Select Create standard http authentication profiles
-
Give the new profile a name (like BasicAuth) and make sure that
Basic Authis selected as the Type -
Click Submit
-
-
Add the new profile to all the REST API Access Policies:
-
Go to Navigate to All → System Web Services → REST API Access Policies
-
Click the Table API policy
-
In the Inbound authentication profiles at the bottom, add the new BasicAuth auth profile to the list (in addition to the SailPoint Entro auth profile)
-
Do the same for the Attachments API policy
-
-
-
Connect ServiceNow to SailPoint Entro
In the SailPoint Entro Dashboard, navigate to: Management → Accounts & Integrations → Add New Account (top right) → ServiceNow
Fill in the integration form using the details from ServiceNow:
-
Nickname: Friendly display name for the integration
-
ServiceNow URL: e.g.,
https://<yourDomain>.service-now.com -
Access Token: Paste the token copied from the API Access Token step
-
Worker Group: Select the connector to handle the integration
Click Connect.
-
-
Validation
After connecting, SailPoint Entro automatically:
-
Validates the token and API scope configuration
-
Confirms read access to Table and Attachment APIs
-
Begins secret scanning of records and attachments
When successful, the integration status will display Verified in the SailPoint Entro Console.
-
Security and Compliance Notes
- All API tokens are stored encrypted in SailPoint Entro's vault.
- SailPoint Entro requests minimal API permissions and performs only read operations.
- Integration logs are available in SailPoint Entro's Activity Logs under the corresponding account.
- Integration follows SailPoint Entro's internal compliance standards (SOC 2 Type II, ISO 27001).