Configuring the vRealize Automation Plug-in for ITSM (ServiceNow) v1.0.0 – Part 2 (SKKB1039)

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Digg thisPin on PinterestShare on TumblrPrint this pageEmail this to someone

In this article we will take a look how to configure The vRealize Automation plugin for ServiceNow . The Plug-in enables ServiceNow users to deploy virtual machines and perform day 2 actions on CMDB resources using vRealize Automation catalog and governance capabilities.

This is Part 2. If you have not cmoppelted Part 1 go back and completed it.

PART 1: Configuring a Management, Infrastructure and Discovery (MID) Server and Configuring ADFS Integration with ServiceNow

Update Log:

Lab Environment

The full lab logical design can be seen HERE.

 

Configuring ADFS Integration with vRealize Automation

As part of SAML configuration to support ADFS integration with vRealize Automation and ServiceNow, you must configure ADFS integration with vRealize Automation.
This section covers how to configure ADFS Integration with vRealize Automation.

 

Create an Identity Provider

This section covers how to create an Identity Provider in vRealize Automation .

Download an instance of the ADFS federation metadata file by entering the file URL in your browser: https://ADFS hostname/federationmetadata/2007-06/federationmetadata.xml  

Log in as a tenant administrator in vRA.

Select Administration > Directories Management > Identity Providers

Select Add Identity Provider and then Create Third Party IDP.

Enter the appropriate values for the network range on the New IdP page

Property

Value

Identity Provider Name

ADFS Hostname

SAML Metadata

Paste the contents of the FederationMetadata.xml file that you edited and click Process IdP Metadata

Users

Check the specified domain

Network

Check My Machine

Authentication Methods

Enter SAML for the authentication method

SAML Context

Select urn:oasis:names:tc:SAML:2.0:ac:classes:Password from the Authentication Methods drop down menu.

Property NameID Policy Value

Select the emailAddress policy

Click Service Provider (SP) Metadata to download the SAML metadata file  and save it as sp.xml
Click Add.

Click Save.

 

Configure an ADFS Relying Trust with vRealize Automation

You can set up an ADFS relying party trust with vRealize Automation. A relying party trust object uses identifiers, names, and rules to identify a web application to the Federation Service.
You must set up an ADFS relying party trust and the appropriate claims rules.
This section covers how to configure an ADFS Relying Trust with vRealize Automation .

Log in to your ADFS server by opening Administrative Tools and finding  the ADFS console link.

Open the ADFS 2.0 Management console and select Trust Relationships > Relying Party Trusts.

Right-click on Relying Party Trust and select Add Relying Party Trust…

Click Start on the configuration wizard.

Select Import data about the relying party from a file on the Select Data Source page.
Import the vRealize Automation Service Provider metadata file, sp.xml, that you copied and saved previously when setting up the Identity Provider.

Click Next.

Enter a name for your vRealize Automation appliance instance in the Display text box on the Specify Display Name page.
You can also enter a description for the trust in the Notes text box.

Click Next on the Ready to Add Trust page.

Select Permit all users to access this relying party on the Choose Issuance Authorization Rules page.

Click Next.

Click Next on the Ready to Add Trust page.

Click Close on the Finish page.

Configuring Claim Rules for vRealize Automation ADFS Integration

When configuring ADFS integration with vRealize Automation, you must set up the appropriate claim rules to control the behavior of incoming and outgoing claims.
This section covers how to configure Claim Rules for vRealize Automation ADFS integration.

Right click the relying party trust that you created for vRealize Automation, and select Edit Claims Rules.

Select Add Rule on the Issuance Transform Rules tab.

Select Send LDAP Attributes as Claims as the template for the claim rule to create.

Click Next

Enter the name Get Attributes in the Claim rule name text box on the Configure Claim Rule wizard page.
Select Active Directory as the Attribute store.
Select the email addresses for LDAP attributes and the Outgoing Claim Type using the E-Mail Addresses drop-down in the Mapping of LDAP attributes to outgoing claim types section of the page.
Click OK.

Click Finish.

Select Add Rule.
You must add a rule that transforms the attributes received from LDAP in the Get Attributes rule into the desired SAML format.
Select Claims Using a Custom Rule

Click Next.

Enter the name Transformation in the Claim rule name text box on the Configure Claim Rule wizard page.
Paste the following text into the rule.
c:[Type == "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress"] => issue(Type = "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier", Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType, Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/format"] = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress", Properties["http://schemas.xmlsoap.org/ws/2005/05/identity/claimproperties/spnamequalifier"] = "vmwareidentity.domain.com");
Change vmwareidentity.domain.com in the last line of the pasted text to your vRealize Automation appliance fully qualified domain name.
Click Apply.

Click OK.

Install the vRealize Automation Plug-in for ServiceNow

The vRealize Automation plug-in for ServiceNow enables ServiceNow users to deploy virtual machines and perform day 2 actions on resources using vRealize Automation catalog and governance capabilities.
This section covers how to install the vRealize Automation Plug-in for ServiceNow.

 

Installing the vRealize Automation Plug-in for ServiceNow

This section covers how to install the vRealize Automation Plug-in for ServiceNow.

Log in to the ServiceNow portal as a system administrator.        

Select System Update Sets > Retrieved Update Sets.

Select Import Update Set from XML from the displayed menu.

Click the Browse button on the dialog to choose the file to upload, and then select the vRealize Automation ServiceNow XML file.
Click Upload.

In the Retrieved Update Sets list, select the vRealize Automation ServiceNow update set in the Name column and then Loaded in the State column.

Select Preview Update Set to validate the update set before committing it.
A dialog box will appear when the update set has been validated.

Inspect the update set information, and then click Commit Update Set.
A dialog box opens automatically after you click Commit Update Set while the commit action is in progress. A Close button appears on the dialog when the commit completes, and you can click this button to dismiss the dialog.

Click Update.

Select Retrieved Update Sets  in the left menu and verify that the VMware update set has a status of Committed.

Configure Users for the vRealize Automation Plug-in for ServiceNow

After you install the vRealize Automation plug-in for ServiceNow, you must configure users.
The ADFS configuration relies on the email address of users to be the same in vRealize Automation andSNOW for single sign on through ADFS.
We recommend setting up your users in both systems. Currently ADFS impacts all users in vRealize Automation and ServiceNow. ADFS allows login for vRealize Automation users that are not in ServiceNow. However, it does not allow login for ServiceNow users that are not in vRealize Automation.
Verify and update if necessary the appropriate users and roles in ServiceNow. See http://wiki.servicenow.com/index.php?title=Creating_Users_and_Associating_to_a_Group#gsc.tab=0 and http://wiki.servicenow.com/index.php?title=Creating_Roles#gsc.tab=0 for more information about working with users groups, and roles in ServiceNow.
The ServiceNow plugin for vRealize Automation uses the following ServiceNow roles:

User

Role

System Administrator

Administrator.

Catalog Admin

vrasn_catalog_admin

ITIL User

itil

End User

No required role

Approval Manager

approver_user

These ServiceNow users must map to appropriate users in your vRealize Automation Active Directory store for the specified tenant. For each configured user that will request machines from the catalog, you must configure the email address and apply the password in the Users System Administration in ServiceNow.

Note: Users with the ServiceNow roles described in the preceding table need to map to users with similar roles in vRealize Automation. For instance, most End Users would map to the Basic User role within a business group. In addition, the End User could also map to the Support or Business Group manager roles within a business group.
Itil Users can also map to Basic User, Support, or Business Group Manager roles. Itil Users may be more likely to be a support or Business Group Manager.
System Admin, Catalog Admin, and Approval Manager activities do not require a mapping to a specific role in vRealize Automation. However, we do recommend that the user exists in vRealize Automation for single sign on purposes using ADFS. You could, for example, have a SNOW system admin with any role in vRealize Automation or admin roles.

To set up the ServiceNow users, add the roles specified in the preceding table. Verify that the email address is the same as the user set up in vRealize Automation for single sign on through ADFS.

 

Configure the vRealize Automation Workflow for Requested Items

Assign the approval group that contains your ApprovalMgr to the vRealize Automation workflow  for approvals to be accepted upon machine requests.
The system admin should configure the vRealize Automation workflow for the requested item. You can access the workflow from the workflow editor. The workflow is configurable.
At a minimum, you must change the approval group to the group you want to receive approvals. When users request vRealize Automation catalog items, this workflow will be run, and approvals will be sent to this group before the request is submitted to vRealize Automation.
The Catalog Admin must choose whether to display categories within vRealize Automation Catalog menu item, or within Service Catalog alongside whatever else they use.
This section covers how to configure the vRealize Automation Workflow for Requested Items.

Log in to the ServiceNow portal as a system administrator.        

Search for Workflow Editor in the ServiceNow navigation pane and click it.

Open the vRealize Automation workflow

Click the menu button and select Checkout.

Double-click the Approval group stage in the workflow.
Click the Edit Groups button.
Search the list of groups and make the appropriate selections.
Lock your selection by clicking the Lock icon.
Click Update.

Click the menu button and select Publish.

Configure the vRealize Automation Plug-in for ServiceNow

After you install the vRealize Automation plug-in for ServiceNow, you must configure  users and basic settings.
The ADFS configuration relies on the email address of users to be the same in vRealize Automation and ServiceNow for single sign on through ADFS.
We recommend setting up your users in both systems. Currently ADFS impacts all users in vRealize Automation and ServiceNow. ADFS allows login for vRealize Automation users that are not in ServiceNow. However, it does not allow login for ServiceNow users that are not in vRealize Automation.
This section covers how to configure the vRealize Automation Plug-In for ServiceNow.

Log in to the ServiceNow portal as a system administrator.        

Select Integration – vRealize Automation > Basic Configurations.

Enter the appropriate settings for your vRealize Automation tenant, URL, and plugin.

Property

Description

MIDServer Name

The name of the MIDServer you created for use with vRealize Automation.

Hostname

URL address for the vRealize Automation appliance.

Integration User Username

The integration user name. The integration user must be a business group manager in all business groups. The integration user does not require a role in ServiceNow.

Integration User Password

The integration user password.

Import Catalog Items

Select Yes to import the vRealize Automation catalog.

Import Resources and CMDB

Select Yes to import vRealize Automation resources that end users own, and to import CMDB items for the itil user. Configuring the vRealize Automation Plug-in for ServiceNow

Import Request Statuses

Select Yes to import Request Statuses from Items.

Log Verbosity

Defines the error logging level. Levels are info, error, debug, and warning.

Report errors to Email Address

Email address to use for error reports.

Click Save.

 

Register the vRealize Automation Authentication Client for Single Sign-on

After installing the vRealize Automation plug-in for ServiceNow, you must register it for single sign-on within ServiceNow.
This section covers how to register the vRealize Automation Client for Single-Sign-On.

Log in to the ServiceNow portal as a system administrator.        

Select the Integration vRealize Automation menu item in ServiceNow.

Select Client Registration.

Enter the vRealize Automation client single sign on credentials, such as administrator, admininstrator password from vsphere.local tenant in vRealize Automation, in the first dialog labeled VRA Detail.

Enter a unique name for your plug-in client in the second dialog, labeled Client Detail.

Click Submit and wait until you see the Completed status in the upper menu bar with a green check mark.

Configure and Run Scheduled Import Jobs

Configure  and run scheduled import jobs for the vRealize Automation ServiceNow plug-in. In addition, you must add categories to the catalog.
On a first time install of the plugin, you must manually execute scheduled jobs to import the catalog and resources. Though there is a default schedule for running jobs, you should edit the schedule time in each import according to your needs as you execute each job. For example, you might want to import catalog items every 10 minutes for high provisioning use.
The plug-in provides scheduled imports with the following functions.

Scheduled Import

Description

vRealize Automation-AuthGenerator

Authenticates the Integration User

vRealize-Automation-ImportServicesAsCategories

Imports Services from vRealize Automation into ServiceNow as categories.

vRealize-Automation-ImportCatalogItems

Imports catalog items from vRealize Automation into ServiceNow as catalogs.

vRealize-Automation-ImportStorageReservationPolicies

Imports storage reservation policies displayed in request forms,

vRealize-Automation-ImportResourcesAndCMDB

Imports deployments and machines from vRealize Automation into ServiceNow so that end users can view the resources they own, and so that itil can view them in CMDB as applications and virtual machine instances.

vRealize-Automation-ImportRequestStatus

Imports request statuses from vRealize Automation requests into requested items.

vRealize-Automation-QueueDelete

Deletes the scheduled import queues that are older than the interval specified.

vRealize-Automation-ReconcileCMDB

Updates resources that have been destroyed in vRealize Automation so that end users no longer see them and itil users see them in CMDB in a retired state

This section covers how to configure and run scheduled import jobs.

Log in to the ServiceNow portal as a system administrator.        

Configure  the polling frequency for the scheduled imports.
Log in as the system admin.

Select Integration > vRealize Automation

Click the applicable job name to open the scheduled import.
Change the Repeat Interval in Days, Hours, Minutes, and Seconds.

Click Update.

For each job, complete the following steps before proceeding to the next job.
Select Integration > vRealize Automation
Click the Scheduled Imports link.
Click the applicable job name to open the scheduled script.

Click the Execute Now radio button in the upper right hand corner to run the script.

Run the scheduled jobs to import them. Make sure that each job is complete before starting the next one. Completed jobs are shown as "processed" in the Scheduled Import Queue.

 

Configure  the vRealize Automation Catalog or the Service Catalog to view categories. Choose the catalogs that you want end users to use for provisioning requests.
Select the vRealize Automation Catalog or Service Catalog

Select the plus sign in upper right corner to add vRealize Automation services, known as categories in ServiceNow, for provisioning.

Highlight the categories in the center pane and select Add here.

Final Step

If all went well, go grab a beer.

It's only fair to share...Share on FacebookTweet about this on TwitterShare on LinkedInShare on Google+Digg thisPin on PinterestShare on TumblrPrint this pageEmail this to someone

Leave a Reply

Your email address will not be published. Required fields are marked *