ServiceNow OAuth Authentication allows you to use OAuth (Client Credentials) for authenticating PagerDuty webhooks and Incident Workflows in the ServiceNow ITSM integration. With OAuth enabled, PagerDuty and ServiceNow can securely communicate without relying on static credentials. This ensures compliance with industry standards and a streamlined integration experience, particularly for organizations with more stringent security and regulatory requirements.

📘

Availability

• ServiceNow OAuth Authentication is available on Business or Enterprise pricing plans.
• This feature is available for ServiceNow Integration version 8.3.0. Please see our upgrade instructions if you are not currently on this version.

Authentication Flow

Your ServiceNow Admin will register an OAuth application in ServiceNow, which PagerDuty then uses to authenticate Incident Workflows and webhook communications using secure, time-bound tokens.

Workflow Actions Authentication

Webhook Authentication

Configure the OAuth Application

Set up an OAuth application (Client Credentials) for authenticating communications between PagerDuty and ServiceNow.

🚧

Requirements

• In ServiceNow: A ServiceNow Administrator role is required for configuration.
• In PagerDuty: A Global Admin or Account Owner base role is required for configuration.

Step 1: Enable the System Property

📘

Application Scope Requirement

To enable the system property, set your application scope to Global.

1. Navigate to the System Properties table (sys_properties_list.do), and click New in the top right.
2. In the system property form, create the property below with the values listed:
   1. Name: glide.oauth.inbound.client.credential.grant_type.enabled
   2. Application Scope: Global
   3. Value: true
      1. Note: This flag is the primary mechanism for enabling and disabling this functionality
   4. Type: true | false

3. Once complete, you can change to the PagerDuty Incident Resolution Platform application scope.

Step 2: Add an OAuth Entity to your Application Registry

Create a client and make an update to the OAuth Entity default view.

1. Confirm that you are in the PagerDuty Incident Resolution Platform application scope.
2. Navigate to System OAuth Application Registry.
3. Create a new record by clicking New in the top right, then select Create an OAuth API endpoint for external clients from the interceptor list.
4. Configure the following fields in the application registries form:
   1. Application scope: PagerDuty Incident Resolution Platform
   2. Accessible from: All application scopes
   3. Optional: You can modify the refresh token lifespan and access token lifespan if the default values differ from your company’s token policies.
5. Change to the Global application scope.
6. In the newly-created record, click the context menu and select Configure Form Layout.
7. Add the OAuth Application User field to the Selected column, then click Save.
8. In the OAuth Application User field, select the ServiceNow user account that you configured for webhook authentication, then Save the record.
9. If left blank, the Client Secret automatically generates after you save the record.

Step 3: Enable OAuth Authentication

🚧

Prerequisite

Before enabling OAuth Authentication, migrate your v2 webhooks (if any) to v3.

Enable OAuth Authentication in PagerDuty Settings

1. To enable OAuth Authentication for the PagerDuty Application, navigate to the PagerDuty Settings page in your ServiceNow instance.
2. Scroll down to the Webhook Configuration section.
3. Select OAuth Client Credentials.
4. Choose the new OAuth application you created in the previous section.
5. Click Save.
6. Run the webhooks health check.

Run the Integration Health Check to Validate OAuth Credentials

1. Run the Integration Health Check.
2. If you configured OAuth as the authentication method, the Integration Health Check will automatically switch to validating the OAuth credentials (OAuth Client ID).

Troubleshoot Errors with ServiceNow Key Management Admin

When using OAuth credentials, an error may occur due to Module Access Policies configured via the Key Management Admin. These policies reject the use of our application scripts’ decryptor.

• The first Module Access Policy will generate when you save the OAuth Client Credentials on the PagerDuty Settings page, and saving this page fails with a 400 Bad Request error.
• The second generates when the Integration Health Check fails after you create the OAuth client, and you will see a Rejected Module Access Policy record.

Resolve Module Access Policy Errors

Step 1: Gain Access to the Module Access Policies Table

1. Navigate to the Key Management Administration screen.
2. Move your admin user to the Selected User(s) section and click Save. This will allow you to access the Module Access Policies table.

Step 2: Change the Module Access Policy Result

1. In the Module Access Policies table, you can use the following filters to locate the rejected module access policies:
   1. Name contains AutoGen
   2. Script Table is Script Include
2. Open each policy record, and change the Result field from Reject to Track.