Integrating ServiceNow with OIG Access Requests

One of the standard integration points with Okta Identity Governance (OIG) Access Requests is to log a ticket of an access request in an ITSM tool like ServiceNow. This article explores the integration between OIG Access Requests and ServiceNow.

Article contents:

Overview of Integration

The primary focus of the Okta Identity Governance (OIG) Access Requests function is to present workflows for users to request access, and optionally have some review/approval mechanism, before applying access changes to entitlements in Okta (such as group memberships or application assignments). It can also integrate with ITSM/ticketing tools, like ServiceNow and Jira, to log tickets. This is shown in the following figure.

Okta Identity Governance Architectural Overview with ITSM Integration

Why would you need to integrate with a ticketing system if OIG Access Requests is providing the service catalog and access request workflows (that could also be done in a tool like ServiceNow)? You probably wouldn’t. If you are already using ServiceNow to expose an access catalog and have access request flows, you’re probably not going to also use OIG Access Requests for the same function.

But there are use cases where it makes sense to log a ticket on the back of an OIG Access Request flow, such as when all change must be logged in the ticketing tool for audit or reporting purposes. OIG Access Requests has integration with Jira and ServiceNow for that use case. The remainder of this article will look at the ServiceNow integration.

ServiceNow Integration Setup

OIG Access Requests has four integrations currently: Slack, Jira and ServiceNow, and Okta itself (Microsoft Teams is planned to be available at GA). Each is configured in the Settings page in the Access Request interface.

Integrations in OIG Access Requests

The first time you click the Connect button for ServiceNow you are prompted to enter the ServiceNow Instance ID, Client ID and Client Secret. The OIG product documentation describes how to setup for OAuth and get the Client ID and Secret.

With the connection established, you need to assign Teams and the Actions (one only in this case) for the connection. This is the same as you would have done for the Okta connection.

Selecting Teams for ServiceNow Integration

With this done, you’re ready to add the ServiceNow Create request action to a flow.

Adding ServiceNow Ticket Creation to a Flow

For this example, I’m going to add a ServiceNow action to an existing workflow. At the bottom of the workflow builder screen, there are new actions available as shown below.

Adding the ServiceNow Action into the Flow

Selecting ServiceNow > Create request will add the [ServiceNow] Create request action to the flow.

There are two arguments (fields) for this action, Requested for (who the ticket is being logged for) and Assignment group (group in ServiceNow who will own the ticket).

The assignment groups were pulled from the ServiceNow instance when the connection was made and stored in a Configuration item list called Assignment groups. The appropriate group is selected and assigned to the Assignment group field.

Specifying the Assignment Group in Action

Note that this means that if you want to assign the ticket to different teams, you may need different workflows, or a workflow with appropriate Logic to call different actions with different Assignment groups.

The configured action is shown below.

ServiceNow Action Configured

Finally, some logic is added so it will only run if the request was approved by the manager and the Okta provisioning step completed.

Logic Applied to Step in Flow

This flow is now ready to run.

Executing the Flow

The workflow appears in the relevant users App Catalog.

User Selects the Access Request

The flow runs, with approval and provisioning steps, then runs the Log Ticket in SNow step. You can see the request number in the flow results (which is a link to the ticket in ServiceNow).

Completed Flow in Access Requests

Checking ServiceNow, the new request has appeared in the Requests list.

Ticket List in ServiceNow

Within the request, we can see the Requested for field is populated (this is the Requested for field in the Access Requests action). The Description field contains all of the information from the request flow in Access Requests. The Short description is the name of the workflow in Access Requests.

New Ticket in ServiceNow

Thus was have created a ticket in ServiceNow from the request flow in Access Requests.

Conclusion

Okta Identity Governance Access Requests has the ability to log tickets in ITSM tools like ServiceNow and Jira. This article has shown how to configure the integration and how to add an action to create a ServiceNow ticket within an access request workflow.

Leave a Reply