- My View
Did you try setting glide.authentication.external.disable_local_login to true: External Authentication (Single Sign-On - SSO) - ServiceNow Wiki
When set to true requires SSO credentials even for the main ServiceNow login page.
Yes it is set to true but I am still able to login via login.do.
Can we do something from Installation exit or Ui Macro to achieve this.
that is exactly what i am looking for brother ..
I have not been able to disable the login, much to my chagrin, but I was able to successfully implement a security requirement I had to check when local/side_door logins occur. Below is code that I run within a notification's advanced condition:
The notification is triggered when the "login" event is triggered.
The trick here was to try and distinguish logins. A login event is created for:
- SSO login
- LDAP login
- SOAP/REST API authentications
- side_door.do/login.do login
So in my case we don't allow LDAP logins so I don't have to worry about that.
All SSO logins also have a corresponding "external.authentication.succeeded" event so if that exists then it is an SSO login.
Now with those 2 out of the way we need to distinguish a local login from an API login. To do this you must check the transaction table because API calls will not have a transaction for login.do but all local logins will.
Now with all that logic in place we can figure out if a local login occurred.
Using this logic between the event and transaction tables you should be able to add improved security logs. You could add code to:
- check specific API calls
- check LDAP login if you use that
- basically anything that requires a login can now be a little more properly distinguished
This could all be made much simpler if SN just implemented new events:
So if anyone working on future releases is reading this, think about implementing these new events please.
side_door.do and login.do pages are specifically designed to enable access to the instance in the event that there is an issue with SSO. Although it is possible, we would recommend leaving it intact and running the script described at the link below to set the passwords of all users to a random number so they cannot log in. This still gives you the ability to have a local admin account for use in case of an SSO failure, while stopping your other users from accessing the instance by any means other than SSO.
Additionally you can rename the side_door.do page to something else that is less obvious or well known, although from a support perspective it's good for us to know what that address is. To do this follow these steps:
1) Create a new property in "sys_properties" named "glide.authenticate.external.side_door_uri", of a type "string", and a value of whatever you would like the page to be named (such as "side_door")
However, if you still need to disable side_door.do you can do it like this:
Create a new property in "sys_properties" named "glide.authenticate.external.side_door_uri", of a type "string", and leave value blank.
As mentioned the change of this property is not supported by ServiceNow technical support, and we strongly recommend that you have a way to access your instance using the side door method, in case your external authentication fails or not able to authenticate your users.
Since this is not recommended, please do enough tests before you carry out with this change.