Looking for a way for our ServiceNow users to make requests to the vRealize Catalog with a single service account instead of the user logged into SNOW/vRA. We have a few clients that are developing business logic in the form of a standard ServiceNow Catalog request. This standard request should be triggering a vRealize Catalog request while passing blueprint parameters. At current state of the plugin, entitlements and requests revolve around the user who is logged in. A majority of our integrations start with business logic sitting at the ServiceNow level.
Dave
Which authentication mechanism is used in this scenario ? are you using any LDAP server either on both vRA/ServiceNow or on ServiceNow only and not vRA side?
If you are not using any LDAP server, plugin will redirect you to vRA login page which allows user to enter different credentials for vRA than ServiceNow credentials. This means your vRA user is different than that of present logged-in service now user. There user can use Single Service account.
Plugin does not have much responsibility to Authenticate, It uses OAuth2 authentication mechanism and actual authentication is done by vRA or LDAP server.
if you are planning to do it from background script by using 'script include' , then let me know, I will help in that direction.
We'd ideally like to do it in the background with a script include so any help is much appreciated. We're looking for a seamless login process where the authentication will always be the service account. We'll also have traditional ServiceNow workflows spawning tasks to submit vRealize Catalog requests, passing values, and ideally use the service account for authentication.
We currently have both situations
- where no LDAP is configured; vRA redirects; a service account can be used.
- SSO will be configured (Ping Federate)...are other SSO products on the roadmap for support as an alternative to ADFS 2?
Is it possible for you to have, LDAP (Ping Federate / ADFS 2.0 ) only for Authentication to ServiceNow and not for vRA. Means, vRA is no more configured to any ADFS/ Ping Federate server.
If above mentioned scenario is feasible in your case, we can make sure that , Users who have vRA access can only see the vRA login page and other users will continue to use their normal ServiceNow account. If User is allowed to access vRA, that user will be displayed with vRA login where he/she can enter Service account credentials.
Was just curious if you ever made any progress on getting this to work with a single service account, as that would be the way we would prefer this to operate as well.
No there is no decision yet on this topic to use single service Account.