> ## Documentation Index
> Fetch the complete documentation index at: https://docs.oleria.com/llms.txt
> Use this file to discover all available pages before exploring further.

# ServiceNow

> Connect ServiceNow to Oleria to create incident tickets directly from risks and posture findings using automated OAuth JWT setup.

Connect ServiceNow to Oleria to create incident tickets directly from risks and posture findings. Oleria automatically populates each ticket with risk details and routes it to your configured assignment group.

<Note>ServiceNow tickets are created as incident tickets and assigned to the group you configure during setup.</Note>

Setup happens across two systems - start in Oleria to download a public certificate, configure authentication objects in ServiceNow, then return to Oleria to complete the connection.

## Prerequisites

Your ServiceNow account must have permission to perform the following actions. Skip any item that is already configured in your instance.

* Add an x509 Certificate (under **Multi-Provider SSO**)
* Create an OAuth JWT Application (under **System OAuth → Application Registry**)
* Add a User (under **User Administration**)
* View and copy a Group's sys\_id (under **Users and Groups**)

You also need administrator access to Oleria. Learn about [role permissions](/administration/default-user-roles).

## Step 1 - Download the Oleria public certificate

<Steps>
  <Step title="Open the Ticketing System page">
    Log in to Oleria, select **Settings**, then select **Ticketing System**.
  </Step>

  <Step title="Download the public key">
    From the **Ticketing System** page, select **Download public key** to download `oleria-public-key.pem`. You will upload this file to ServiceNow in the next section.
  </Step>
</Steps>

## Step 2 - Configure ServiceNow

As you work through the steps below, copy and save the following values. You will need them to complete Step 3:

| Value to collect                        | Where you find it                                   |
| --------------------------------------- | --------------------------------------------------- |
| **Client ID**                           | After creating the OAuth JWT Application            |
| **Kid** (Key ID)                        | After mapping the public key to the JWT Application |
| **Claim Value** (service account email) | After setting up the OAuth JWT Claim Validation     |
| **sys\_id** (assignment group)          | After locating the assignment group                 |

<Steps>
  <Step title="Upload Oleria's Public Certificate">
    1. Log into your ServiceNow instance with administrator credentials.
    2. From the **All** menu, navigate to **x509 Certificate** under **Multi-Provider SSO → Administration**.
    3. Create a new x509 certificate - select **New** from the upper right-hand corner of the **x.509 Certificates** page.
    4. From the **New record** page, enter the following information:

    | Field                   | Value                                       | Example                                                            |
    | ----------------------- | ------------------------------------------- | ------------------------------------------------------------------ |
    | Name                    | Name for the Oleria's public key            | Oleria ServiceNow Incident Creation X.509 Certificate - tenantName |
    | Format                  | PEM                                         | PEM                                                                |
    | Expiration Notification | Uncheck                                     | Uncheck                                                            |
    | Type                    | Trust Store Cert                            | Trust Store Cert                                                   |
    | Active                  | Check                                       | Check                                                              |
    | Short Description       | Description that mentions the Oleria tenant | servicenow\_ticketing.tenantName.oleria.io                         |

    5. For **PEM Certificate**, open the `oleria-public-key.pem` file you downloaded in Step 1 and paste its full contents.
    6. Select **Submit**.
  </Step>

  <Step title="Create an OAuth JWT Application">
    1. From the **All** menu, navigate to **Application Registry** under **System OAuth**.
    2. From **Application Registries**, select **New** from the upper right-hand corner.
    3. From **What kind of OAuth application?**, select **Create an OAuth JWT API endpoint for external clients**.
    4. From **OAuth JWT - New Record**, reveal the **Public Client** hidden field in the form layout:
       1. Select the three horizontal lines icon next to **New Section New Record** in the upper-left corner.
       2. Select **Configure** → **Form Layout**.
       3. From **Configuring OAuth JWT form**, under the **Available** column, find and select the **Public Client** field, then select the arrow pointing right to move it to the **Selected** column.

    <Note>If you cannot find "Public Client" under "Available", check "Selected" instead. If "Public Client" is already in "Selected", proceed to the next step.</Note>

    5. Select **Save** in the upper right-hand corner.
    6. From **OAuth JWT - New Record**, enter the following information:

    | Field         | Value                                                                              | Example                                                    |
    | ------------- | ---------------------------------------------------------------------------------- | ---------------------------------------------------------- |
    | Name          | Name that indicates Oleria will create incidents, including the Oleria tenant name | Oleria ServiceNow Incident Creation JWT OAuth - tenantName |
    | Active        | Check                                                                              | Check                                                      |
    | Public Client | Check                                                                              | Check                                                      |

    7. Leave the remaining fields with their default values (including leaving **Client Secret** blank).
    8. Save the **Client ID** value - you will need it in Step 3.
    9. Add **useraccount** to the **Auth Scope** for the JWT application:
       1. From the **Auth Scope** section, select **Insert a new row…**
       2. In the textbox, search for **useraccount**, select a result from the dropdown, and select the green check icon.
       3. Select **Submit**.
  </Step>

  <Step title="Map Oleria's public key to the OAuth JWT Application">
    1. From **Application Registries**, find and view the OAuth JWT application you created (e.g., **Oleria ServiceNow Incident Creation JWT OAuth - tenantName**).
       * To navigate there: from the **All** menu, go to **Application Registry** under **System OAuth**.
    2. From the **OAuth JWT Application** page, scroll to the bottom to the **Jwt Verifier Maps** tab.
    3. Add a **Jwt Verifier Map** - select **New** from the **Jwt Verifier Map** tab.
    4. From **Jwt Verifier Map - New Record**, enter the following information:

    | Field           | Value                                                                    | Example                                                            |
    | --------------- | ------------------------------------------------------------------------ | ------------------------------------------------------------------ |
    | Name            | Name that indicates Oleria's public key including the Oleria tenant name | Oleria JWT Verifier Map - tenantName                               |
    | Sys certificate | Name you created for Oleria's public certificate                         | Oleria ServiceNow Incident Creation X.509 Certificate - tenantName |

    5. Save the **Kid** (Key ID) value - you will need it in Step 3.
    6. Select **Submit**.
  </Step>

  <Step title="Limit access to the Oleria service account">
    <Warning>**Claim Name must be set to `sub` exactly.** Any other value will prevent Oleria from authenticating and the integration will not work.</Warning>

    1. From the **OAuth JWT Application** page, scroll to the bottom to the **OAuth JWT Claim Validations** tab.
    2. Select **New**.
    3. From **OAuth JWT Claim Validation - New Record**, enter the following information:

    | Field            | Value                                       | Example                                                         |
    | ---------------- | ------------------------------------------- | --------------------------------------------------------------- |
    | Claim Value Type | string                                      | string                                                          |
    | Claim Name       | sub                                         | sub                                                             |
    | Claim Value      | email address of the Oleria service account | [oleriaticketing@oleria.com](mailto:oleriaticketing@oleria.com) |

    4. Save the **Claim Value** (your Oleria service account email address) - you will need it in Step 3.
    5. Select **Submit**.
  </Step>

  <Step title="Find or create a role with write access to the Incidents table">
    1. From the **All** menu, navigate to **Roles** under **System Security → Users and Groups**.
    2. Search for a role named **sn\_incident\_write**. If found, continue to the next step. If not found, create a new role.
  </Step>

  <Step title="Create a service account">
    1. From the **All** menu, navigate to **Users** under **User Administration**.
    2. Select **New** from the upper right-hand corner.
    3. From **User - New Record**, enter the following information:

    | Field                   | Value                                                     | Example                                                         |
    | ----------------------- | --------------------------------------------------------- | --------------------------------------------------------------- |
    | User ID                 | name for the Oleria service account including tenant name | Oleria Integrator - tenantName                                  |
    | Email                   | Oleria service account's email                            | [oleriaticketing@oleria.com](mailto:oleriaticketing@oleria.com) |
    | First Name              | Oleria service account's first name                       | Oleria                                                          |
    | Last Name               | Oleria service account's last name                        | Ticketing                                                       |
    | Password needs reset    | Uncheck                                                   | Uncheck                                                         |
    | Locked out              | Uncheck                                                   | Uncheck                                                         |
    | Active                  | Check                                                     | Check                                                           |
    | Web service access only | Uncheck                                                   | Uncheck                                                         |

    4. Select **Submit**.
  </Step>

  <Step title="Associate the role to the service account">
    1. From the **All** menu, navigate to **Users** under **User Administration**.
    2. Find the Oleria service account (e.g., "Oleria Integrator - tenantName") and select its name.
    3. From the **User** page, scroll to the bottom and select the **Roles** tab.
    4. Select **Edit…**.
    5. From **Edit Members**, search for **sn\_incident\_write** in the **Collection** column, select the role, and select the **Add** icon to add it to the selection list.
    6. Select **Save**.
  </Step>

  <Step title="Find the Assignment Group sys_id">
    1. From the **All** menu, navigate to **Groups** under **System Security → Users and Groups**.
    2. Find the group you want to assign incidents to (e.g., RiskRemediators) and view it. Create a new group if needed.
    3. From the **Group** page, select the three horizontal lines icon in the upper left-hand corner, then select **Copy sys\_id**.
    4. Save the **sys\_id** value - you will need it in Step 3.
  </Step>
</Steps>

## Step 3 - Connect ServiceNow to Oleria

<Warning>Ticketing System configuration is done from **Settings**, not from the Integrations page.</Warning>

<Steps>
  <Step title="Open the Ticketing System page">
    Log in to Oleria, select **Settings**, then select **Ticketing System**.
  </Step>

  <Step title="Confirm ServiceNow is configured">
    From the **Ticketing System** page, confirm you have completed all steps in ServiceNow above and have the four values ready (Client ID, Key ID, service account email, and Assignment Group sys\_id).
  </Step>

  <Step title="Connect ServiceNow">
    Under the desired ticketing system (ServiceNow), select **Connect**.
  </Step>

  <Step title="Provide authentication details">
    From the **Ticketing System Authentication** page, provide the following and select **Connect**:

    | Field                 | Value                                                                      | Example                                                         |
    | --------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------- |
    | Instance name         | Instance name portion of the ServiceNow URL                                | instanceName                                                    |
    | Client ID             | Client ID for the Oleria OAuth JWT application in ServiceNow               | abc12345d6789d0123f456g78hi9jk012                               |
    | Key ID                | Key ID that maps the Oleria OAuth JWT application to the Oleria public key | a1234567b901c2345d6e7890fgh12ij3                                |
    | Service Account email | Email for the Oleria service account used to create tickets                | [oleriaticketing@oleria.com](mailto:oleriaticketing@oleria.com) |
  </Step>

  <Step title="Configure the ticket assignment group">
    From the **Ticketing System Configuration** page, provide the following and select **Done**:

    | Field               | Value                                                              | Example                          |
    | ------------------- | ------------------------------------------------------------------ | -------------------------------- |
    | Assignment Group ID | sys\_id for the group that will be assigned to the created tickets | a1bcdef2345g67890hi12j345klm67n8 |
  </Step>

  <Step title="Confirm the connection">
    A confirmation message will appear. The **Ticketing System** page will show the configured ticketing system.
  </Step>
</Steps>

## Created ticket

A ticket created for a risk from Risk Monitoring will contain the following default field values:

| Field             | Default Value                                                                                                                                                                                             | Note                                                                                                                                                                   |
| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Caller            | Oleria Ticketing                                                                                                                                                                                          | This is the name of the service account that is used by Oleria to generate tickets in ServiceNow.                                                                      |
| Assignment group  | \[provided during configuration]                                                                                                                                                                          | This is the assignment group provided during the ServiceNow ticketing system integration.                                                                              |
| Short description | "Risk was identified by Oleria: " + \[value]                                                                                                                                                              | This contains a standard prefix for all tickets created from a risk and it will contain the risk name that appeared in Oleria for the risk the ticket was created for. |
| Description       | Risk: \[value] Potential Impact: \[value] Recommendation: \[value] Details: Risk Severity: \[value] Risk Type: \[value] Application: \[value] Application Instance: \[value] View risks in Oleria: \[URL] | This contains the details about the risk from where the ticket was created. It also contains the link to the risk.                                                     |

## Troubleshoot

**Caller value does not appear in the Ticket**

The Oleria Service Account's email address exists with another user account that is causing confusion on which email user to list as the caller.

**Resolution:**

Change the Oleria Service Account's email address to another email address and then update the email address associated with the Application Registration for the OAuth JWT Claim Validation email address listed in the JWT Application that was created for Oleria.

## Contact us

For questions, contact us at [support@oleria.com](mailto:support@oleria.com).
