Overview

Once you connect EmpowerID to ServiceNow, you can configure ServiceNow to manage groups within EmpowerID, and to create EmpowerID groups from ServiceNow. This topic explains how ServiceNow works with EmpowerID. For details on how to set all of this up, see Configuring ServiceNow for Groups.

The main connection point for group creation in ServiceNow is the REST message with three methods that call the EmpowerID REST API. The other configuration is all in support of this message.

  • AccessToken - Gets the access token for web API calls.
  • Resume Workflow POST - Tells EmpowerID the approval decision so that it can resume the workflow.
  • Default POST - Tells EmpowerID that a group was requested in ServiceNow.

A Business Rule on the ServiceNow Approval table passes parameter values to the Resume Workflow POST's responseBody, and saves any updates to the Approval table.

When you create a ServiceNow group in EmpowerID

In the Create Group workflow, the SendGroupRequestToServiceNow activity detects whether you selected ServiceNow as the Group Creation Location. If so, EmpowerID sets up a request task to send to ServiceNow. You also configure an Approval rule in ServiceNow, so that the request task goes for approval.

In this request, EmpowerID sends the same information it sends other account stores (description, opened by, created by, task type, etc.), plus two new custom fields: workflowinstanceid and workflowcorrelationid.

On the ServiceNow side, the request is approved or rejected, and then the Resume Workflow POST REST message sends a callback from ServiceNow to let EmpowerID know the results.

The request pulls the following parameter values from the Approval Business Rule in ServiceNow, and the business rule passes the values to the REST message's responseBody.

  • workflowinstanceid
  • workflowcorrelationid
  • IsApproved

The REST message calls an anonymous endpoint in your EmpowerID server,

    https://FQDN/api/services/v1/ServiceNowWF/resume
(where FQDN is your fully qualified domain name, e.g. sso.empowersso.com). This REST message must run using an EmpowerID admin account.

Finally, in EmpowerID, the SendGroupRequestToSN_ResumeExecuteCode event receives the decision and resumes the Create Group workflow.

When you create an EmpowerID group in ServiceNow

In ServiceNow, when a user goes to the Self-Service Services catalog and requests an EmpowerID group, the Default POST REST message calls an anonymous endpoint in your EmpowerID server,

    https://FQDN/api/services/v1/workflow/start
(where FQDN is your fully qualified domain name, e.g. sso.empowersso.com). This REST message must run using an EmpowerID admin account.

In EmpowerID, the Create Group workflow starts, using the information from the Default POST REST message to create groups.

Once you have connected EmpowerID to ServiceNow, you can view and manage the users and groups associated with it from the ServiceNow Manager page in EmpowerID, located at "https://<YourEmpowerIDServer>/UI/#Common/Find/ServiceNowManager."