ServiceNow has created basic SAML (Security Assertion Mark-up Language) authentication for Azure AD users to allow specific users to login using their Azure credentials, but unfortunately in & out data flow configuration through API is scattered across different tables and not intuitive enough to quickly setup API integration for example to update CMDB entries.
Installation of proper spoke in the IntegrationHub kind of solves the problem. However some data cannot be gathered from Azure spokes, or type of authentication is not granting proper access to particular resources. That is why, to workaround such a case, we need to go through oauth with additional bearer token authentication. Another advantage of the solution is that any resources can be accessible this way, even without installing additional spokes, but it still requires proper permissions and roles from the Azure side.
First, and the most important thing to start with when creating this solution on ServiceNow level, is to make sure that the azure admin is properly set up with all permissions and roles required to read or manipulate specific data. It’s very important because we, and azure admins, have to differentiate between delegated and application permissions. The first one requires initiating a session by properly granted users. For the application permission however, any user can access data, but the API requests must be sent from the one of the granted applications - in our case from the ServiceNow instance. Before you start doing proper configuration, you need to understand the requirements and agree with your team which way is actually better for your setup.
Another thing that is not “must have”, but really helpful for dealing with API calls, is to have an IntegrationHub license which is not a starter.
This will make the whole process much easier to develop instead of using normal and free actions. OOTB starter subscription doesn’t process REST calls, but you can do via scripted restmessagev2 call using script step within the action.
Another smart move is to get any API builder platform such as Postman, which will help you test the endpoints and API calls.
To continue reading, click here to download the whitepaper (no registration).