ServiceNow SSO with MojoAuth
Connect your ServiceNow instance (the Now Platform) to MojoAuth using SAML 2.0. MojoAuth acts as the Identity Provider (IdP); ServiceNow acts as the Service Provider (SP). Once configured, users can sign in to ServiceNow with SP-initiated login (from the ServiceNow login page) or IdP-initiated login (from your MojoAuth-hosted login page or an app launcher).
How it works
Prerequisites
- A MojoAuth project (test or live) with admin access to Developers → Applications.
- A ServiceNow instance with
admin(orsecurity_admin) role access. - The Integration - Multiple Provider Single Sign-On Installer plugin activated on your instance (this ships with most editions but is not active by default — see Step 2).
- Decide up front which ServiceNow user field will match the identity MojoAuth sends (
user_nameoremail), and make sure existing ServiceNow user records populate that field consistently.
Multi-provider SSO changes how every user signs in, including admins. Keep Local Login available
as a fallback (https://<instance>.service-now.com/login.do?local_login=true) until you've fully
tested the new IdP, so you don't lock yourself out of the instance.
Step 1 — Create the MojoAuth SAML connection
- In the MojoAuth dashboard, go to Developers → Applications → New Application → SAML 2.0 SSO.
- Enter a connection name (e.g.
ServiceNow – Production) and click Create connection. This creates a draft connection and auto-issues a signing certificate. - Leave this tab open — you'll come back to copy the IdP metadata URL and, later, paste ServiceNow's SP details.
See SAML SSO Connections for the full concept walkthrough.
Step 2 — Activate multi-provider SSO in ServiceNow
Activate the plugin
Go to All menu → search for Plugins (or navigate to System Definition → Plugins). Find Integration - Multiple Provider Single Sign-On Installer and activate it if it isn't already active. Activation adds the Multi-Provider SSO application menu.
Open the Identity Providers list
Navigate to Multi-Provider SSO → Identity Providers, then click New, and choose SAML as the provider type. This opens the SAML 2.0 identity provider configuration record.
Import MojoAuth's IdP metadata
The fastest path: on the new IdP record, use Import Identity Provider Metadata and paste your MojoAuth IdP metadata URL:
{BASE}/saml/{projectId}/sps/{spId}/metadataServiceNow fetches the metadata and auto-fills:
- Identity Provider's AuthnRequest (SSO URL / SAML endpoint)
- Entity ID / Issuer for the IdP
- X.509 Certificate (MojoAuth's signing certificate)
Or configure manually
If you'd rather not import metadata (or your instance can't reach the URL outbound), fill the fields in by hand:
| ServiceNow field | Value |
|---|---|
| Identity Provider's AuthnRequest (SSO URL) | {BASE}/saml/{projectId}/sps/{spId}/sso |
| Entity ID / Issuer | {BASE}/saml/{projectId}/sps/{spId}/metadata |
| Single Logout URL | {BASE}/saml/{projectId}/sps/{spId}/slo |
| X.509 Certificate | Paste the PEM from Copy PEM (or upload the downloaded .crt) on the MojoAuth connection page |
Paste the certificate contents (including the -----BEGIN CERTIFICATE----- /
-----END CERTIFICATE----- lines) into the Certificate field on the IdP record.
Note the SP fields ServiceNow generated
Scroll down on the same IdP record to the SP (Service Provider) Configuration related fields. ServiceNow auto-generates these for your instance:
| ServiceNow SP field | Typical value |
|---|---|
| SP Entity ID / Issuer | https://<instance>.service-now.com |
| Assertion Consumer Service (ACS) URL | https://<instance>.service-now.com/navpage.do |
Confirm the exact values on your instance's IdP record — some instances (or custom domain setups) show a different ACS path. Copy both values; you'll paste them into MojoAuth next.
Step 3 — Give ServiceNow's SP details back to MojoAuth
Back on the MojoAuth SAML connection page:
- Use Import from metadata if ServiceNow exposes an SP metadata endpoint on your instance, or
choose Manual configuration and enter:
- SP Entity ID:
https://<instance>.service-now.com - ACS URL:
https://<instance>.service-now.com/navpage.do
- SP Entity ID:
- Set NameID format to
emailAddressif you'll match on email, orunspecified/persistentif you'll match onuser_name— this must agree with the user field you pick in ServiceNow's IdP record (see Step 4). - Click Save.
Step 4 — Attribute mapping and user lookup
ServiceNow's SAML IdP record has a User Field setting that tells it which local user table column
to match the incoming NameID (or a mapped attribute) against — typically user_name or email.
| ServiceNow expects | MojoAuth saml_name | MojoAuth source | name_format |
|---|---|---|---|
| NameID (subject) | — | email or identifier (matches ServiceNow's User Field) | — |
User.Email | User.Email | email | basic |
User.FirstName | User.FirstName | firstName | basic |
User.LastName | User.LastName | lastName | basic |
Configure on the MojoAuth connection's Attribute mappings section:
- If ServiceNow's User Field is set to
email, set the connection's NameID format toemailAddressand mapsource: emailso the subject itself carries the address ServiceNow looks up. - If matching on
user_name, map asource: identifier(oruserId, depending on how your directory populates ServiceNow'suser_name) to the NameID, and set NameID format tounspecifiedorpersistent. - Add the
User.Email,User.FirstName,User.LastNameattribute rows above if you want ServiceNow to refresh profile fields on login (requires JIT/auto-provisioning or an existing matching user record).
ServiceNow does not do full JIT user creation out of the box for SAML — by default it expects a
matching sys_user record to already exist for the incoming identity. If you need automatic user
creation, review ServiceNow's Multi-Provider SSO auto-provisioning properties for your instance
before relying on attribute mapping alone.
Step 5 — Test
- On the ServiceNow IdP record, click Test Connection. ServiceNow performs an SP-initiated SAML round trip against MojoAuth and reports whether the assertion validated.
- From the MojoAuth connection page, use Test SSO to run an IdP-initiated login and confirm a valid signed assertion reaches ServiceNow's ACS URL.
- Once both pass, open the IdP record and check Active, then set it as the default provider only after confirming regular users can sign in end-to-end — test with a non-admin account in an incognito/private browser window first, keeping your own admin session on local login.
- Visit
https://<instance>.service-now.com/navpage.doin a private window to trigger SP-initiated login and confirm the redirect to MojoAuth and back works.
Troubleshooting
"Certificate validation failed" / signature mismatch The X.509 certificate on the ServiceNow IdP record doesn't match MojoAuth's current signing certificate. Re-copy the PEM from Copy PEM on the MojoAuth connection page (certificates rotate periodically) and update the ServiceNow IdP record, or re-run Import Identity Provider Metadata to refresh it automatically.
User not found / "no local user found for NameID" errors
ServiceNow's IdP record User Field doesn't match what MojoAuth is sending in the NameID. Confirm
the connection's NameID format and mapped source (Step 4) correspond to a real, populated field
(user_name or email) on the target sys_user record. Check System Logs → System Log → All and
filter for SAML for the specific rejection reason.
Locked out after setting the provider as default
If a misconfigured IdP becomes the default and blocks admin login, browse to
https://<instance>.service-now.com/login.do?local_login=true to bypass SSO and sign in with a local
account, then fix or deactivate the IdP record. Always verify the connection with a non-admin test
user before flipping Active/default on for everyone.
ACS URL mismatch / "Invalid Destination" error
The ACS URL entered on the MojoAuth connection doesn't exactly match what ServiceNow expects
(https://<instance>.service-now.com/navpage.do for most instances, though some configurations use a
different path). Recheck the SP Configuration fields on the ServiceNow IdP record and re-paste the
exact value into MojoAuth's ACS URL field.
"Entity ID mismatch" / audience restriction errors
The SP Entity ID saved in MojoAuth doesn't exactly match the Issuer/audience ServiceNow sends in
its AuthnRequest (https://<instance>.service-now.com, case- and trailing-slash-sensitive). Copy it
directly from the ServiceNow IdP record's SP Configuration section rather than typing it by hand.
SSO works but attributes (name, email) don't update
ServiceNow only updates profile fields on login if the corresponding attribute mapping rows exist on
the MojoAuth connection and your instance's SSO properties allow attribute-based updates. Add the
User.Email / User.FirstName / User.LastName rows from Step 4 and confirm they're received by
checking the SAML response in ServiceNow's System Logs.