Viewing SSO subscription information

  • Release version: Xanadu
  • Updated August 1, 2024
  • 3 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Viewing SSO subscription information

    This guide explains how ServiceNow customers can view information about Single Sign-On (SSO) applications, users, and groups associated with their SSO integrations within Software Asset Management (SAM). It covers accessing details in the classic SAM UI and refers to Software Asset Workspace for alternate views. The information helps manage SSO subscriptions, monitor access, and handle reclamation of unused licenses.

    Show full answer Show less

    Viewing SSO Integration Information

    To inspect SSO integration details, navigate to All > SaaS License > Administration > SSO Integration Profiles and select a profile. Key related lists include:

    • SSO Applications: Lists all integrated SSO applications.
    • Directory Users: Lists all SSO users.
    • Directory Groups: Lists all SSO groups.
    • Scheduled Jobs: Shows jobs that download SSO apps, users, groups, and subscriptions, running daily and on profile publication.
    • Directory Jobs: Contains jobs that download group memberships, users, and groups daily. Note that for Microsoft Entra ID spoke 4.3 and later, the group membership job is replaced by a job that downloads all groups and memberships.
    • Scheduled Job Results and Directory Job Results: Display the status of these background jobs.

    Viewing SSO Application Information

    To view users, groups, and reclamation candidates for a specific SSO application, go to All > SaaS License > SSO Applications and select the application. The related lists provide:

    • SSO Application Users: Users with direct access to the app (not via groups).
    • SSO Application Groups: Groups granted access to the app.
    • SSO Subscriptions: Total subscriptions, counting each user once even if they have multiple access paths.
    • Reclamation Candidates: Subscriptions that qualify for reclamation based on application-specific rules.

    Additional notes:

    • The SSO application role column helps identify if user access is direct or group-based.
    • Subscriptions granted through group membership have empty subscription assigned dates; direct user subscriptions show assignment dates.
    • Users with group-based access cannot have subscriptions reclaimed directly in SAM; removal must occur in the identity provider portal (Azure AD), followed by closing the reclamation candidate in SAM.
    • After upgrading to SAM - SaaS License Management 13.1.0 or later, subscription assigned dates for group-created subscriptions become empty.

    Data Synchronization with SSO Providers

    When users, groups, or applications are deleted in the identity provider portals (Azure AD or Okta), corresponding SAM records are deleted during the daily scheduled job runs.

    If user access is revoked—either directly or by removing group membership—the related user subscription record in SAM is deleted during the daily synchronization jobs.

    You can view information about the Single Sign-On (SSO) applications, SSO users, and SSO groups that are associated with your SSO integrations.

    Important:
    You can view information about your SSO applications, users, and groups in both the Software Asset Management Core UI and Software Asset Workspace. The following sections provide details on viewing this information in the Software Asset Management classic application. For details on viewing this information in the Software Asset Workspace, see License operations view.

    Viewing SSO integration information

    To view the applications, users, and groups for an SSO integration, navigate to All > SaaS License > Administration > SSO Integration Profiles and then select a profile. The related lists provide information about the integration.
    Table 1. SSO Integration Profile related lists
    List Description
    SSO Applications All SSO applications.
    Directory Users All SSO users.
    Directory Groups All SSO groups.
    Scheduled Jobs SAM - SSO <sso-provider> download applications scheduled job that downloads all SSO apps. The job runs when the SSO integration profile is published, and then runs daily.

    The SAM - SSO <sso-provider> update connected applications scheduled job downloads users, groups, and subscriptions for SSO apps. The job runs daily and whenever an app is connected.
    Scheduled Job Results Status of the scheduled jobs.
    Directory Jobs

    The <sso-provider> - Download Group Membership directory job that downloads group memberships for all users. The job runs when the SSO integration profile is published, and then runs daily.

    The <sso-provider> - Download Users directory job downloads all users. The job runs when the SSO integration profile is published, and then runs daily.

    The <sso-provider> - Download Groups directory job downloads all groups for all users. The job runs when the SSO integration profile is published, and then runs daily.

    Note:
    On upgrading to Microsoft Entra ID spoke 4.3 version, the Microsoft Azure AD - Download Group Membership directory job won’t be executed for existing Microsoft Azure AD SSO or Directory integrations. This directory job also won’t be created for new Microsoft Azure AD SSO or Directory integrations. Instead, the Microsoft Azure AD - Download Groups directory job downloads all groups and group memberships configured on Microsoft Azure AD.
    Directory Job Results Status of the directory jobs.

    Viewing SSO application information

    To view the users, groups, and reclamation candidates for an application, navigate to All > SaaS License > SSO Applications and select an application. The related lists show information for the application. For viewing the SSO application information in Software Asset Workspace, see View SSO applications in workspace.

    Table 2. SSO Applications
    List Description
    SSO Application Users All users that have direct access to the application, but not through membership in a group.
    SSO Application Groups All groups that have access to the application.
    SSO Subscriptions Total number of subscriptions for the application. A user may have both direct access to an app and have access through a group. But the user's access counts as only one subscription so as only one record in the SSO Subscriptions list.
    Note:
    • Add the SSO application role column to see how the user is granted access to the application. If the value is a group, then the user has access through membership in that group. If the value is the user's name, then the user has direct access to the application. User subscriptions can't be reclaimed in Software Asset Management if the user has access to the application through a group membership. To reclaim the subscription, remove the user from the group in the Azure AD portal and set the reclamation candidate state to Closed Complete.
    • When SSO subscriptions are created through SSO application groups, the Subscription assigned value is empty. When the subscriptions are created through SSO Application Users, the Subscription assigned value shows the date of when the subscription is assigned to the user. After you upgrade to the Software Asset Management - SaaS License Management 13.1.0 version or later, the existing Subscription assigned values for the subscriptions that were created through SSO application groups turns empty.
    Reclamation Candidates Subscriptions that don't meet the usage requirements that are defined by the reclamation rule for the application.

    Data synchronization with SSO providers

    If you delete a user, group, or app in the Azure AD portal or in the Okta Developer Console, then the corresponding records in Software Asset Management are deleted when the daily scheduled jobs run. If you revoke a user's access to an application in the Azure AD portal or in the Okta Developer Console, either directly or indirectly by removing them from a group, then the corresponding user subscription record is deleted when the daily scheduled jobs run.