5 Replies · Latest reply on Nov 13, 2017 8:29 AM by Prabhat Kuchibhotla

    I want to enable login only through SSO and restrict login from side door and login.do.

      I want to enable login only through SSO and restrict login from side door and login.do.

        • Re: I want to enable login only through SSO and restrict login from side door and login.do.
          Michael Fry

          Did you try setting glide.authentication.external.disable_local_login to true: External Authentication (Single Sign-On - SSO) - ServiceNow Wiki

          When set to true requires SSO credentials even for the main ServiceNow login page.

          3 of 3 people found this helpful
          • Re: I want to enable login only through SSO and restrict login from side door and login.do.
            Johnathon Rausch

            I have not been able to disable the login, much to my chagrin, but I was able to successfully implement a security requirement I had to check when local/side_door logins occur. Below is code that I run within a notification's advanced condition:

             

            //wait 5 seconds to ensure other events and logs have the ability to queue. We want to make sure that external.authentication.succeeded has time to run
            //and that the transaction log for the possible API call has time to be created.
            gs.sleep(5000);
            
            var gd = new GlideDateTime();
            gd.setValue(event.sys_created_on);
            gd.add(-5000);
            
            var date = gd.getLocalDate();
            var time = gd.getLocalTime();
            time = time.getByFormat('HH:mm:ss');
            
            var gr = new GlideRecord('sysevent');
            gr.addEncodedQuery("name=external.authentication.succeeded^parm1STARTSWITH"+event.parm1+"^sys_created_on>=javascript:gs.dateGenerate('"+date+"','"+time+"')");
            gr.query();
            
            //if the 'external.authentication.succeeded' record exists then the user logged in with SSO.
            if(gr.hasNext()) {
                 answer = false;
            } else {
                 //Also we do not want to keep track of API logins right now.
                 gr = new GlideRecord('syslog_transaction');
                 gr.addEncodedQuery('urlLIKE/login.do^session='+event.instance);
                 gr.query();
            
                 //if there is a transaction with login.do then this is most likely a side_door/local login
                 if(gr.hasNext()) {
                      gs.warn("side_door.do login detected. user_name = "+event.parm1);
                      answer = true; //if the event doesn't exist then the user logged in locally which is not allowed
                 }
            }
            

             

            The notification is triggered when the "login" event is triggered.

             

            The trick here was to try and distinguish logins. A login event is created for:

            - SSO login

            - LDAP login

            - SOAP/REST API authentications

            - side_door.do/login.do login

             

            So in my case we don't allow LDAP logins so I don't have to worry about that.

             

            All SSO logins also have a corresponding "external.authentication.succeeded" event so if that exists then it is an SSO login.

             

            Now with those 2 out of the way we need to distinguish a local login from an API login. To do this you must check the transaction table because API calls will not have a transaction for login.do but all local logins will.

             

            Now with all that logic in place we can figure out if a local login occurred.

             

            Using this logic between the event and transaction tables you should be able to add improved security logs. You could add code to:

             

            - check specific API calls

            - check LDAP login if you use that

            - basically anything that requires a login can now be a little more properly distinguished

             

            This could all be made much simpler if SN just implemented new events:

             

            - login-SSO

            - login-LDAP

            - login-API

            - login-sidedoor

            - login-local

             

            So if anyone working on future releases is reading this, think about implementing these new events please.

             

            Thanks, John

            1 of 1 people found this helpful
            • Re: I want to enable login only through SSO and restrict login from side door and login.do.
              Prabhat Kuchibhotla

              Hi Rakesh,

               

              side_door.do and login.do pages are specifically designed to enable access to the instance in the event that there is an issue with SSO. Although it is possible, we would recommend leaving it intact and running the script described at the link below to set the passwords of all users to a random number so they cannot log in. This still gives you the ability to have a local admin account for use in case of an SSO failure, while stopping your other users from accessing the instance by any means other than SSO.

              http://wiki.servicenow.com/index.php?title=External_Authentication_(Single_Sign-On_-_SSO)#Restricting_Local_Login

              Additionally you can rename the side_door.do page to something else that is less obvious or well known, although from a support perspective it's good for us to know what that address is. To do this follow these steps:

              1) Create a new property in "sys_properties" named "glide.authenticate.external.side_door_uri", of a type "string", and a value of whatever you would like the page to be named (such as "side_door")

              2) To test, log out of your instance, and enter in the following URL: https://[instance name].service-now.com/[value of property].do

               

              However, if you still need to disable side_door.do you can do it like this:

              Create a new property in "sys_properties" named "glide.authenticate.external.side_door_uri", of a type "string", and leave value blank.

               

              As mentioned the change of this property is not supported by ServiceNow technical support, and we strongly recommend that you have a way to access your instance using the side door method, in case your external authentication fails or not able to authenticate your users.

              Since this is not recommended, please do enough tests before you carry out with this change.

               

              Regards,

              Prabhat

              1 of 1 people found this helpful