Hi Victor,

i hope you are having a good week so far.

it seems like you know what i don't.

we are using the addin between snow and splunk. we use api for both systems to integrate. 

for this purpose i created an account in snow with access to the splunk and incident table that cannot logging using "user interface". when we test the creation of an incident from splunk interface, oauth2 works fine but then, in addition, it uses the account of the person running the test to logging to servicenow.

i thought that oauth2 would be sufficient. why would it ask for another user/pwd?

regards,

Max

Hi @elcuchi ,

Ok, I use basic auth instead of OAUTH so different scenario, OAUTH was not available on our first tested TA versions and we never moved away from it (which I should prioritize now). Did you test basic or that is not an option?

Thing is, for basic auth: Whenever you configure the ServiceNow account in the TA, you'll have to pass that account as parameter for the ServiceNow action commands OR reference it in the alert action (it is the first field it asks you to fulfill). That is the account the TA will use to open the REST connection with ServiceNow and push the data there (either event or incident).

AFAIK, there is no configuration on the TA that uses the actual Splunk logged in user in the authentication context to ServiceNow to trigger those actions. Behind the scenes, every communication is done via the account configured in the TA, at least this is how it works for me while using this TA for the past 4-5 years.

So, question: How are you testing this? (Based in your "when we test the creation of an incident from splunk interface" statement)

For OAUTH it may be different, but according to the documentation I don't think it actually is. Documentation says that Oauth requires UI access to SNOW instance, which you mentioned you don't have:

OAuth Authentication configuration requires UI access to your ServiceNow Instance. User roles that do not have UI access will not be able to configure their ServiceNow account to use OAuth.

 
If this is using the person logged in to access ServiceNow instead of using whatever OAUTH config, it makes no sense for the TA to ask clientID and clienteSecret as the main purpose for those is to authenticate.

hi Victor,

thank you so much for your response.

i attached a file showing what we do in sequence and the popup. maybe this helps to understand what we do. right or wrong.

thanks 

max

Okay,

The OAUTH integration message asks for credentials and says that that account will be able to interact as if it was you, right? And based on what you said, this is what happening (assuming that whenever that ServiceNow screen shows up you are adding your own credentials to allow OAUTH, instead of the credentials of the local API account you should have on ServiceNow for this purpose as you also mentioned that the account does NOT have interactive UI access).

IMO and based in your statement, I believe in that authorization part you entered your own credentials and now during your tests this is the reason why ServiceNow is showing Splunk interactions as if it was you.

So, though I'm just repeating myself, I guess the path is:

If using basic auth:

• Create a new ServiceNow account config in the Splunk TA as you shown before, define it as basic
• On your alerts, whenever configuring the send event / incident action, pass the name of the account you created here
• You're done!

If using OAUTH:

• Create a new ServiceNow account config in the Splunk TA as you shown before, define it as OAUTH
• While being redirected to ServiceNow OAUTH authorization page, insert the API account user name and password (not your own) - At this step, if your API account isn't accepted, then you cannot use it as it lacks those interactive permissions I mentioned
• According to the message, whatever communication between Splunk and ServiceNow with that OAUTH channel will use THAT logged account during auth phase 
• On your alerts, whenever configuring the send event / incident action, pass the name of the account you created here
• You're done!

Hi Victor,

Thank you so much for your quick responses!!!!

I had a chat with the splunk specialist yesterday morning and splunk only asks for the user and pwd when configuring oauth account in splunk. Hence, we decided to give the splunk user account in snow UI login access temporarily. After successfully going through the account configuration in splunk we removed the ui access to the splunk account in snow. This made the trick!!!

regards,

Max

Oh, I love when simple workarounds do the trick.
Well, glad you got that one sorted.
If I can help with anything else, even for a brainstorming session, lemme know 🙂