Service Desk Integration (SDIM) using the Generic Connector

ugochuik · September 5, 2025, 10:51pm

Overview

We want to configure the Service desk integration with the Generic connector to ServiceNow (Snow). There is a Snow built in service desk configuration card which makes it easy to configure ISC to Snow but we will use the Generic connector since this gives you options to connect to just about any ticketing system with an api endpoint.

The service desk integration tool is useful for a variety of use cases, it allows ISC to communicate with other part of the organization. With the tool ISC can open a ticket for identity and non-identity tasks to be carried out and monitors the completion of the task in the Service desk tool.

We want to do the following in Snow (I will be using the developer instance)

Open an incident ticket
Put details of the incident ticket in the description. Put the name, employeeid and email.
Monitor the status of the task.

STEP ONE: SNOW setup tasks

1. Create or Use a ServiceNow API User

Create a dedicated integration user in ServiceNow (name is., sailpointapi). I will be using Basic auth
Assign the user appropriate roles:
- For incident creation: e.g incident_creator
Make sure the user has REST API access and can authenticate using Basic Auth

2. Identify the Target API Endpoint

We will be creating an incident so

Purpose	Endpoint
Create Incident	/api/now/table/incident
Manage Incidents	https://mytenant.service-now.com/incident_list.do

3. Confirm JSON Payload Structure

No XML wrapper is needed.
Set Content-Type: application/json
Example minimal payload for incident creation (Test this from Postman—Post: https://mytenantname.service-now.com/api/now/table/incident):

{

“short_description”: “Test from SailPoint”,

“description”: " If you see this, it works!"

}

STEP TWO: Get Source and Target applications ready

Source application: The source application is the system that the target user belongs. So for instance, if HR is the source, then that user should exist in the HR Source. If you select for instance a service account or a generic user which is not an HR user then the request will fail.

Target application: This is the target of our request to Service desk. We want an account created for the user or we want access given or removed for a user. The user does not have to exist in the application. This is usually a disconnected application else ISC will attempt to create the account or give the access requested. I have setup

a flat file source called TLKappX.
Defined a schema and aggregated a few accounts.
Aggregated entitlements.
Edited the Create Profile and mapped account attributes to identity attributes.

Example Mappings:

Account Attribute	Identity Mapping
email	identity.email
username	identity.preferredUsername
firstName	identity.firstname
lastName	identity.lastname

STEP THREE: Get Roles ready

Create a Role called TLKAppX access and add editor entitlement from TLKappX to it.

STEP FOUR: Configure Service desk integration

Let me discuss a couple of key items to note

Velocity is the language to be used for any custom text. For this example, I will just show all the information that is available in the request.
ISC will send the data in the Ticket creation as a payload. Delete the sample description. Click Add a field, Select a string box for each line of your payload. If you have a wrapped-up payload then use the Grouped Key-Value Pair.
For status mapping Snow returns various numbers for different status types, get those numbers and map them to the identity status

When the User Has No Existing Account

If a user does not have an account on the application source:

SailPoint triggers a provisioning plan with AccountRequest.op = ‘Create’
The Create Account Profile is used to generate account attributes
These attributes are included in the provisioning plan and sent to the source and/or SDIM

When the User Already Has an Account

If the user already has an account and you:

Add a new entitlement → AccountRequest.op = ‘Modify’, AttributeRequest.op = ‘Add’
Remove an entitlement → AccountRequest.op = ‘Modify’, AttributeRequest.op = ‘Update’

Important: The Modify Account Profile is not invoked in these cases. No identity or account attributes are included unless explicitly injected.

Use a Before Provisioning Rule to Inject Attributes

To pass additional attributes during entitlement changes, use a Before Provisioning Rule. This rule should detect entitlement-related operations and manually inject needed attributes.

Example logic:

if (“Modify”.equals(accReq.getOp())) {
for (AttributeRequest attrReq : accReq.getAttributeRequests()) {
if (“Add”.equals(attrReq.getOperation()) || “Update”.equals(attrReq.getOperation())) {
accReq.setAttribute(“email”, identity.getEmail());
accReq.setAttribute(“username”, identity.getAttribute(“preferredUsername”));
accReq.setAttribute(“employeeNumber”, identity.getAttribute(“employeeNumber”));
}
}
}

Begin configuration

Go to Admin/Connections/Service desk

Click Create

Name: My Snow generic

Description: My Snow generic

Integration Type: Generic SDIM

Ticket Type: generic

Sources: TLKAppX

Click Next

Connectivity And Authentication

URL: https://mytenant.service-now.com/

Authentication Type: Basic

Username: Sailpointsnowapi

Password: ************

Ticket Creation

Short Description: Access request for $.plan.arguments.requested_for

Description: #foreach($item in $request.items) Item Name: $!item.name $newline Value: $!item.value $newline Operation: $!item.Operation $newline #end

Advanced Options

Process Response Element Expression

Request Root Element

Request Root Element Type: JSONObject

Resource: /api/now/table/incident

Response Element: $.result.number

Status Mappings

IdentityNow Status Generic SDIM Status

Queued 1

Committed 7

Failed 8

Advanced Properties

Resource

/api/now/table/incident?number=$ticketId&sysparm_fields=state,close_notes

Response Element

$.result[0].state

Requester Source

Requester Source: MyAD

STEP FIVE: Give the Role access to a User

Go to the Role for TLKAppx and add a user that does not have an account in TLKAppx to the assignment. The user should exist in MyAD.
You should see an incident ticket created in Snow

rahulb635 · September 24, 2025, 5:55am

Thanks!

A small addition : In case we want to sent more fields to Service Now ticket, we only get few from default like firstname , last name etc, email is not default AFAIK, so we need to create a new before provsioning rule where we get data of email onto a field and use that in the ticket fields .

eg : $.plan.arguments.email

ugochuik · September 24, 2025, 11:58am

Regarding email if its not part of your create account profile then you have to get it via before prov rule (for new request for a user). For change request you have to get all attributes via before prov rule

Topic		Replies	Views
Service desk user creation issue ISC Discussion and Questions identity-security-cloud , provisioning	4	198	June 15, 2024
ServiceNow Service Desk - Incident request for Connected Application ISC Discussion and Questions identity-security-cloud , connectors	3	472	September 3, 2023
Configuring IdentityIQ to Integrate with ServiceNow Connectivity Documentation Feedback va-con-docs	1	40	September 23, 2025
Where to add Catalog Item and required fied in Create ServiceNow Ticket in Workflow ISC Discussion and Questions workflows , identity-security-cloud	10	678	April 29, 2024
Integration between Servicedesk connector and Service catalog connector ISC Discussion and Questions workflows , apis , aggregation , identity-security-cloud , provisioning , entitlements	2	228	July 31, 2024