Skip to content

ServiceNow Onboarding

This guide outlines the steps required to connect your ServiceNow instance to SailPoint Entro. The integration operates in read-only mode, using a ServiceNow API Access Token to authenticate through the Table API and Attachment API.

Prerequisites

Before starting the onboarding process, ensure you have:

  • ServiceNow Admin permissions

  • Access to the System Web Services and User Administration modules

  • An active Worker Group (Connector) in SailPoint Entro

  • The ServiceNow domain URL (e.g., https://<yourDomain>.service-now.com)

Complete the following:

  1. Create an Inbound Authentication Profile

    In ServiceNow, navigate to: All → System Web Services → API Access Policies → Inbound Authentication Profiles

    • Click New.

    • Choose Create API Key Authentication Profile.

    • Enter a name for the profile.

    • Click the lock icon to open Auth Parameter selection.

    • Click on the magnifying glass and select the parameter that corresponds to the Auth Header

    • Click Submit.

  2. Create an Integration User

    1. Navigate to: All → User Administration → Users

      • Click New.

      • Fill in User ID and optional details.

      • Mark the user as Active and Internal Integration User.

      • Click Submit.

      • In the Roles tab, click Edit... and add the following roles:

        • itil

        • snc_read_only

        • personalize_dictionary - optional (allows access to scan custom tables)

    Note

    Note: Scanning custom tables may require additional roles per table. Consult your ServiceNow admin or SailPoint Entro Support for further assistance.

  3. Create REST API Auth Scopes

    1. Navigate to: All → System Web Services → API Auth Scopes → REST API Auth Scope

      • Click New and create the first scope for the Table API:

        • REST API: Table API

        • Auth Scope: create new entro-auth-scope

        • Uncheck Apply auth scope to all HTTP methods

        • Click Submit

      • Repeat for the Attachment API:

        • REST API: Attachment API

        • Auth Scope: select entro-auth-scope created earlier

        • Click Submit

  4. Create an API Access Token

    1. Navigate to: All → System Web Services → API Access Policies → REST API Key

      • Click New.

      • Enter a name for the API key.

      • Assign the Integration User created earlier.

      • Select the entro-auth-scope from the previous step.

      • Click Submit.

      • Reopen the created API Key and click the lock icon next to Token.

      • Copy the token and store it securely.

  5. Create REST API Access Policies

    1. Navigate to: All → System Web Services → REST API Access Policies

      • Create a new policy for the Table API:

        • REST API: Table API

        • Uncheck Apply to all methods

        • Under Inbound Authentication Profiles, select the profile from Step 1

        • Click Submit

      • Repeat for the Attachment API, following the same process.

      If users/integrations are using Basic Auth consider doing the following to avoid login issues

    2. Create BasicAuth Authentication Profile:

      1. Go to All → System Web Services → API Access Policies → Inbound Authentication Profiles

      2. Select New

      3. Select Create standard http authentication profiles

      4. Give the new profile a name (like BasicAuth) and make sure that Basic Auth is selected as the Type

      5. Click Submit

    3. Add the new profile to all the REST API Access Policies:

      1. Go to Navigate to All → System Web Services → REST API Access Policies

      2. Click the Table API policy

      3. In the Inbound authentication profiles at the bottom, add the new BasicAuth auth profile to the list (in addition to the SailPoint Entro auth profile)

      4. Do the same for the Attachments API policy

  6. Connect ServiceNow to SailPoint Entro

    In the SailPoint Entro Dashboard, navigate to: Management → Accounts & Integrations → Add New Account (top right) → ServiceNow

    Fill in the integration form using the details from ServiceNow:

    • Nickname: Friendly display name for the integration

    • ServiceNow URL: e.g., https://<yourDomain>.service-now.com

    • Access Token: Paste the token copied from the API Access Token step

    • Worker Group: Select the connector to handle the integration

    Click Connect.

  7. Validation

    After connecting, SailPoint Entro automatically:

    • Validates the token and API scope configuration

    • Confirms read access to Table and Attachment APIs

    • Begins secret scanning of records and attachments

    When successful, the integration status will display Verified in the SailPoint Entro Console.

Security and Compliance Notes

  • All API tokens are stored encrypted in SailPoint Entro's vault.
  • SailPoint Entro requests minimal API permissions and performs only read operations.
  • Integration logs are available in SailPoint Entro's Activity Logs under the corresponding account.
  • Integration follows SailPoint Entro's internal compliance standards (SOC 2 Type II, ISO 27001).