I am looking for a detailed step-by-step guide to integrate ServiceNow Service Catalog with SailPoint IdentityNow (IDN) for application request provisioning. My goal is to allow users to raise access requests from ServiceNow, which should then follow an approval and provisioning flow based on the type of application:
Requirements:
For Connected Applications (Managed by IDN):
User raises an application access request in ServiceNow Service Catalog.
The request goes through Manager Approval in ServiceNow.
If approved, the request is sent to IDN for provisioning.
For Disconnected Applications (Not Managed by IDN):
User raises a request in ServiceNow Service Catalog.
The request goes through Manager Approval in ServiceNow.
If approved, instead of going to IDN, it should be sent to the respective Service Desk (SD) team for manual provisioning.
Key Challenges:
How to configure the ServiceNow Catalog Item for application requests?
How to implement a workflow in ServiceNow that routes requests based on whether the application is Connected (Provisioned via IDN) or Disconnected (Handled by SD Team)?
How to configure ServiceNow to trigger an API call to IDN for Connected Applications?
Best practices for tracking request status and notifications in ServiceNow and IDN.
Would really appreciate any guidance or best practices from those who have implemented this integration before!
Do you have the managed access module for ServiceNow? This module does exactly what you are looking for. It is an Application on the ServiceNow store that works with the Request Center in ISC and allows users to submit request to ISC to access following service now approval workflows.
ServiceDesk is primary used to open tickets when ISC does not know how to provision access. When you enable an application in ServiceDesk it will always open a ticket in ServiceNow and ISC will not provision access. But instead open a ticket for a fulfillment team to complete. This is great for application that can not be automated.
Hope this helps. Managed access is controlled by the Request Center in ISC so anything you have made requestable will show up.
To be honest, this is a pretty big ask to expect a community member to publish a step-by-step guide to do this completely from scratch.
I have created completely custom access request processes in ServiceNow that integrate with IdN, but we also utilize the ServiceNow for Service Catalog Integration, which is a turn-key solution.
If you wish to go the custom route, there are a few things to consider
How do you plan to source the requestable items and present them to the user? Is your plan to load all requestable entitlements at once via something like an onLoad catalog client script? Or do you wish for the requestor to do some filtering first, like first selecting an application/source and then having an onChange catalog client script return a list of entitlements/access profiles from the selected source
In the use case above, that would only allow the user to select a single access item at a time. If your requirement is to allow the user to select multiple access items at once, that requires the use of a list collector, which means you have to have the available entitlements/access profiles stored in a table in ServiceNow
Your workflow will need to have a step to determine whether or not the source of the requested access item supports provisioning or not to decide whether or not it needs to send a provisioning request to SailPoint or to create a catalog task
In the case of a disconnected source, are all requests going to go to the same team? If not, where will you store the mappings of sources to teams?
As far as the provisioning requests and tracking go, you would just use the create-access-request API endpoint, which returns an account activity Id. You would then utilize the get-account-activity API endpoint to track the status of the provisioning request in SailPoint, and complete the ServiceNow workflow once the provisioning request is completed.
Perhaps as an example to give some inspiration, here is a custom access request process I created in ServiceNow that is backended by IdN
On the request form, the user can either request a “template role” (which is just a role in IDN) or request a specific access profile that is mapped to a specific sap system
The drop-down is filtered based on what the user selects in the drop-down above. Since my ServiceNow instance stores all the SailPoint roles/entitlements/access profiles in a table, I am able to let the user select more than one access profile at a time. For each access profile selected, the workflow will generate an additional RITM tied to the same REQ record, so that each access profile has an individual approval.
The workflow has two approval stages - the manager of the requestor, and the owner of the access profile. The latter is populated by querying the SailPoint API at runtime and storing the owner record in the workflow scratchpad.
Since I have these records stored in a ServiceNow table, I have a flag on each record to say whether or not the provisioning is manual or automated. If it’s automated, it sends the request to IdN. If it’s manual, it assigns it to a specific assignment group that comes from a custom reference field on the catalog item itself.
This workflow is able to be shared across multiple catalog items, so creating catalog items for specific applications is very easy. It also contains a couple of extra features like the ability to set a delayed provisioning start, a sunset date on the access, a check to see if the user already has the access assigned, as well as a preventative SOD check
Could you please provide a step-by-step guide for integrating the ServiceNow Service Catalog It would be really helpful if you could share the exact configuration details required after downloading the SailPoint Identity Security Cloud Service Catalog in ServiceNow. This will greatly assist in setting up the integration and improving understanding.
