The Now Platform® Washington DC release is live. Watch now!
‎01-03-2017 02:19 PM
I want to enable login only through SSO and restrict login from side door and login.do.
‎01-03-2017 02:30 PM
Did you try setting glide.authentication.external.disable_local_login to true: External Authentication (Single Sign-On - SSO) - ServiceNow Wiki
When set to true requires SSO credentials even for the main ServiceNow login page.
‎01-03-2017 02:37 PM
Yes it is set to true but I am still able to login via login.do.
Can we do something from Installation exit or Ui Macro to achieve this.
‎01-10-2017 07:22 AM
that is exactly what i am looking for brother ..
‎11-13-2017 08:11 AM
I have not been able to disable the login, much to my chagrin, but I was able to successfully implement a security requirement I had to check when local/side_door logins occur. Below is code that I run within a notification's advanced condition:
//wait 5 seconds to ensure other events and logs have the ability to queue. We want to make sure that external.authentication.succeeded has time to run
//and that the transaction log for the possible API call has time to be created.
gs.sleep(5000);
var gd = new GlideDateTime();
gd.setValue(event.sys_created_on);
gd.add(-5000);
var date = gd.getLocalDate();
var time = gd.getLocalTime();
time = time.getByFormat('HH:mm:ss');
var gr = new GlideRecord('sysevent');
gr.addEncodedQuery("name=external.authentication.succeeded^parm1STARTSWITH"+event.parm1+"^sys_created_on>=javascript:gs.dateGenerate('"+date+"','"+time+"')");
gr.query();
//if the 'external.authentication.succeeded' record exists then the user logged in with SSO.
if(gr.hasNext()) {
answer = false;
} else {
//Also we do not want to keep track of API logins right now.
gr = new GlideRecord('syslog_transaction');
gr.addEncodedQuery('urlLIKE/login.do^session='+event.instance);
gr.query();
//if there is a transaction with login.do then this is most likely a side_door/local login
if(gr.hasNext()) {
gs.warn("side_door.do login detected. user_name = "+event.parm1);
answer = true; //if the event doesn't exist then the user logged in locally which is not allowed
}
}
The notification is triggered when the "login" event is triggered.
The trick here was to try and distinguish logins. A login event is created for:
- SSO login
- LDAP login
- SOAP/REST API authentications
- side_door.do/login.do login
So in my case we don't allow LDAP logins so I don't have to worry about that.
All SSO logins also have a corresponding "external.authentication.succeeded" event so if that exists then it is an SSO login.
Now with those 2 out of the way we need to distinguish a local login from an API login. To do this you must check the transaction table because API calls will not have a transaction for login.do but all local logins will.
Now with all that logic in place we can figure out if a local login occurred.
Using this logic between the event and transaction tables you should be able to add improved security logs. You could add code to:
- check specific API calls
- check LDAP login if you use that
- basically anything that requires a login can now be a little more properly distinguished
This could all be made much simpler if SN just implemented new events:
- login-SSO
- login-LDAP
- login-API
- login-sidedoor
- login-local
So if anyone working on future releases is reading this, think about implementing these new events please.
Thanks, John