Integrations · OIDC + SAML

ServiceNow SSO

Configure Single Sign-On for ServiceNow ITSM using Clavex as the Identity Provider. Supports OIDC (recommended for new deployments) and SAML 2.0. Includes role/group mapping from Clavex claims to ServiceNow roles.

Option A — OIDC (Recommended)

Step A1 — Register OIDC Client in Clavex

Admin API (curl)

$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/clients \ -H 'Authorization: Bearer $ADMIN_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "client_id": "servicenow", "client_name": "ServiceNow", "grant_types": ["authorization_code"], "redirect_uris": ["https://acme.service-now.com/navpage.do"], "scopes": ["openid", "profile", "email", "groups"], "token_endpoint_auth_method": "client_secret_basic" }'

Step A2 — Configure OIDC Provider in ServiceNow

In ServiceNow, navigate to System OAuth → External OIDC Providers → New

Fill in:

Field	Value
Name	`Clavex`
Client ID	`servicenow`
Client secret	`cs_xxxxxxxxxxxxxxxx`
Well-known config URL	`https://id.acme.eu/acme/.well-known/openid-configuration`
User claim	`email`
Default auth. scope	`openid profile email groups`

Click Populate OIDC metadata — ServiceNow fetches all endpoints from discovery
Save

Step A3 — Create Multi-Provider SSO Profile

Multi-Provider SSO → Identity Providers → New
Set type to OpenID Connect
Link the OIDC provider created above
Set User field to email and Identity provider's user field to email
Enable Auto-provision users if needed

Option B — SAML 2.0

Step B1 — Configure SAML in ServiceNow

Navigate to Multi-Provider SSO → Identity Providers → New
Select type SAML2 Update1

Upload Clavex metadata XML or enter manually:

Field	Value
IdP's EntityID/Issuer	`https://id.acme.eu/acme/saml`
IdP's AuthnRequest binding	`HTTP-Redirect`
IdP's SSO URL	`https://id.acme.eu/acme/saml/sso`
IdP's SLO URL	`https://id.acme.eu/acme/saml/slo`
IdP's certificate	Paste Base64 from Clavex metadata

Note the EntityID and ACS URL shown by ServiceNow

Step B2 — Register ServiceNow SP in Clavex

Admin API (curl)

$ curl -X POST https://id.acme.eu/api/v1/organizations/acme/saml/sp \ -H 'Authorization: Bearer $ADMIN_TOKEN' \ -H 'Content-Type: application/json' \ -d '{ "entity_id": "https://acme.service-now.com", "acs_url": "https://acme.service-now.com/navpage.do", "name_id_format": "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", "sign_assertions": true }'

Role Mapping

In ServiceNow, create a Claim Mapping to translate Clavex groups claim values to ServiceNow roles:

Multi-Provider SSO → Identity Providers → your provider → Claim Mappings
Add a new mapping:

Claim attribute ServiceNow user field

groups roles (via script transform)

email email

name name

Claim attribute	ServiceNow user field
`groups`	`roles` (via script transform)
`email`	`email`
`name`	`name`

Troubleshooting

Symptom	Cause	Fix
User not found after SSO login	User not provisioned in ServiceNow	Enable Auto-provision users or create the user manually with matching email
OIDC discovery URL fails	ServiceNow can't reach Clavex	Check network/firewall rules; ServiceNow IP ranges must reach your Clavex instance
SAML assertion rejected	Audience restriction mismatch	Ensure SP entity_id in Clavex matches exactly the EntityID shown in ServiceNow SSO settings
Redirect after login goes to home, not original page	RelayState not preserved	Enable Use relay state in the ServiceNow Identity Provider settings