ConductorOne docs

Set up a ServiceNow connector

ConductorOne provides identity governance for ServiceNow. Integrate your ServiceNow instance with ConductorOne to run user access reviews (UARs) and enable just-in-time access requests.

Capabilities

Resource	Sync	Provision
Accounts	✅
Groups	✅
Roles	✅

This connector can also be configured to automatically create and update ServiceNow tickets to track manual provisioning assignments. Go to Configure ServiceNow as an external ticketing provider to learn more.

Available hosting methods

Choose the hosting method that best suits your needs:

Method	Availability	Notes
Cloud-hosted	✅	A built-in, no-code connector hosted by ConductorOne.
Self-hosted	✅	The ServiceNow connector, hosted and run in your own environment.

Gather ServiceNow credentials

Each setup method requires you to pass in credentials generated in ServiceNow. Gather these credentials before you move on.

You’ll need your ServiceNow deployment, which is found in the URL of your ServiceNow instance. For example, if your URL is https://example12345.service-now.com, your deployment ID is example12345.
You’ll also need the username and password for a user who has either the Admin role in ServiceNow or an access control list able to access the following ServiceNow tables:
- sys_user - Users
- sys_user_role - Roles
- sys_user_group - Groups
- sys_user_grmember - Group membership
- sys_user_has_role - User roles
- sys_group_has_role - Group roles

That’s it! Next, move on to the instructions for your chosen setup method.

Set up a ServiceNow cloud-hosted connector

To complete this task, you’ll need:
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of ServiceNow credentials generated by following the instructions above

In ConductorOne, navigate to Admin > Connectors and click Add connector.
Search for ServiceNow and click Add.
Choose how to set up the new ServiceNow connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
Find the Settings area of the page and click Edit.
In the Deployment field, enter the ServiceNow deployment.
In the Password and Username fields, enter the credentials for your ServiceNow account.
The user whose credentials you enter must have either the Admin role in ServiceNow or an access control list able to access the following ServiceNow tables:
- sys_user - Users
- sys_user_role - Roles
- sys_user_group - Groups
- sys_user_grmember - Group membership
- sys_user_has_role - User roles
- sys_group_has_role - Group roles
Optional. If you want to automatically create ServiceNow tickets to track provisioning tasks, click to Enable external ticket processing. Read more about external ticketing system integrations here.
If you enable this option, you can add a catalog ID or category ID to filter down catalog items. These fields are optional, but ConductorOne only syncs 100 catalog items, so filtering is recommended.
Click Save.
The connector’s label changes to Syncing, followed by Connected. You can view the logs to ensure that information is syncing.

That’s it! Your ServiceNow connector is now pulling access data into ConductorOne.

Set up a ServiceNow cloud-hosted connector using Terraform

As an alternative to the cloud-hosted setup process described above, you can use Terraform to configure the integration between ServiceNow and ConductorOne.

See the ConductorOne ServiceNow integration resource page in the ConductorOne Terraform registry for example usage and the full list of required and optional parameters.

Set up a ServiceNow self-hosted connector

To complete this task, you’ll need:
The Connector Administrator or Super Administrator role in ConductorOne
Access to the set of ServiceNow credentials generated by following the instructions above

When running in service mode on Kubernetes, a self-hosted connector maintains an ongoing connection with ConductorOne, automatically syncing and uploading data at regular intervals. This data is immediately available in the ConductorOne UI for access reviews and access requests.

Why use Kubernetes? Kubernetes provides automated deployment, scaling, and management of your connectors. It ensures high availability and reliable operation of your connector services.

Step 1: Configure the ServiceNow connector

In ConductorOne, navigate to Connectors > Add connector.
Search for Baton and click Add.
Choose how to set up the new ServiceNow connector:
- Add the connector to a currently unmanaged app (select from the list of apps that were discovered in your identity, SSO, or federation provider that aren’t yet managed with ConductorOne)
- Add the connector to a managed app (select from the list of existing managed apps)
- Create a new managed app
Set the owner for this connector. You can manage the connector yourself, or choose someone else from the list of ConductorOne users. Setting multiple owners is allowed.
If you choose someone else, ConductorOne will notify the new connector owner by email that their help is needed to complete the setup process.
Click Next.
In the Settings area of the page, click Edit.
Click Rotate to generate a new Client ID and Secret.
Carefully copy and save these credentials. We’ll use them in Step 2.

Step 2: Create Kubernetes configuration files

Create two Kubernetes manifest files for your ServiceNow connector deployment:

Secrets configuration

# baton-servicenow-secrets.yaml
apiVersion: v1
kind: Secret
metadata:
  name: baton-servicenow-secrets
type: Opaque
stringData:
  # ConductorOne credentials
  BATON_CLIENT_ID: <ConductorOne client ID>
  BATON_CLIENT_SECRET: <ConductorOne client secret>
  
  # ServiceNow credentials
  BATON_DEPLOYMENT: <URL of the ServiceNow deployment>
  BATON_PASSWORD: <Password to the ServiceNow account>
  BATON_USERNAME: <Username for the ServiceNow account>

See the connector’s README or run --help to see all available configuration flags and environment variables.

Deployment configuration

# baton-servicenow.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: baton-servicenow
  labels:
    app: baton-servicenow
spec:
  selector:
    matchLabels:
      app: baton-servicenow
  template:
    metadata:
      labels:
        app: baton-servicenow
        baton: true
        baton-app: servicenow
    spec:
      containers:
      - name: baton-servicenow
        image: ghcr.io/conductorone/baton-servicenow:latest
        imagePullPolicy: IfNotPresent
        envFrom:
        - secretRef:
            name: baton-servicenow-secrets

Step 3: Deploy the connector

Create a namespace in which to run ConductorOne connectors (if desired):
```
kubectl create namespace conductorone
```

Apply the secret configuration:

kubectl -n conductorone apply -f baton-servicenow-secrets.yaml

Apply the deployment:

kubectl -n conductorone apply -f baton-servicenow.yaml

Step 4: Verify the deployment

Check that the deployment is running:
```
kubectl -n conductorone get pods
```

View the connector logs:

kubectl -n conductorone logs -l app=baton-${baton-servicenow}

Check that the connector data uploaded correctly. In ConductorOne, click Applications. On the Managed apps tab, locate and click the name of the application you added the ServiceNow connector to. ServiceNow data should be found on the Entitlements and Accounts tabs.

That’s it! Your ServiceNow connector is now pulling access data into ConductorOne.