Installation exits

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Installation exits

    Installation exits in ServiceNow are customizable script hooks that allow you to run server-side scripts between Java calls during specific authentication and session events. These are accessible to users with the Admin role and enable tailored control over login, logout, password validation, and session behaviors.

    Show full answer Show less

    Available Installation Exits

    You can manage installation exits by navigating to System Definition > Installation Exits. Some exit names like Login, Logout, ValidatePassword, and ExternalAuthentication are reserved but can be overridden to replace default scripts. The base system provides several exits, including:

    • Login: Authenticates users with username and password.
    • Logout: Redirects users upon sign-out (can be customized with LogoutRedirect).
    • LogoutRedirect: Sends users to a specified URL after logout.
    • ExternalAuthentication: Authenticates via headers, parameters, or cookies; can be overridden by DigestSingleSignOn and PGPSingleSignOn.
    • DigestSingleSignOn / PGPSingleSignOn: Handle authentication with encrypted headers or cookies.
    • ValidatePassword / ValidatePasswordStronger: Enforce custom password validation rules, with ValidatePasswordStronger requiring complex passwords.
    • GetIntegrationSessionTimeout: Controls default integration session timeout behavior.

    Customizing Login Behavior

    By customizing the Login installation exit, you can implement advanced session management strategies during user authentication. Examples include:

    • Session timeout based on username: For instance, setting the session timeout to 30 seconds for the user named "admin".
    • Session timeout based on client IP address: Adjusting session timeout dynamically depending on the IP range of the user’s login origin.

    These customizations involve scripting within the Login exit process method, using ServiceNow APIs like GlideUser.authenticate() for authentication and request.getSession().setMaxInactiveInterval() to set session timeout values. The timeout values exceeding 1440 minutes are normalized to one day.

    Practical Benefits

    Installation exits empower administrators to tailor authentication workflows and session management precisely according to organizational policies and security requirements. By leveraging these exits, you can enhance login security, customize user experience on logout, enforce strong password policies, and control session lifetimes based on user roles or network conditions.

    Installation exits are customizations that exit from Java to call a script before returning back to Java.

    Note:
    Functionality described here requires the Admin role.

    Available installation exits

    Navigate to System Definition > Installation Exits. Some installation exit names (Login, Logout, ValidatePassword, ExternalAuthentication) are reserved and cannot be changed. Other installation exits can override these with custom script that replaces the script in the default installation exit.

    The following installation exits are available in the base system:

    Installation Exit Description
    Login Takes a username and password pair and authenticates with the user object
    Logout Takes the user to the welcome page upon signing out; can be overridden by LogoutRedirect
    LogoutRedirect Takes the user to a specified URL upon signing out
    ExternalAuthentication Authenticates using header, parameter, or cookie; can be overridden by DigestSingleSignOn and PGPSingleSignOn
    DigestSingleSignOn Authenticates using header, parameter, or cookie and decrypts Digest encryption
    PGPSingleSignOn Authenticates using header, parameter, or cookie and decrypts PGP encryption
    ValidatePassword Active by default, starting with the Helsinki release; allows customers to define their own password validation; can be overridden by ValidatePasswordStronger
    ValidatePasswordStronger Requires passwords be at least 8 characters long and contain a digit, an uppercase letter, and a lowercase letter
    GetIntegrationSessionTimeout Implements the default integration session timeout behavior.

    Login modifications

    The following modification to the Login installation exit sets each user's session timeout value as the user is logging in. In this particular example, if the user name is admin, the session is set to timeout in 30 seconds.

    gs.include("PrototypeServer");
 
var Login = Class.create();
Login.prototype = {
	initialize : function() {
	},
 
        process : function() {
          // the request is passed in as a global
          var userName = request.getParameter("user_name");
          var userPassword = request.getParameter("user_password");
 
          var authed = GlideUser.authenticate(userName, userPassword);
          if (authed) {
             // ***********************************************************        
             // customization - if the userName == admin, set the session
             // timeout to be 30 seconds. You can implement your own  
             // session timeout algorithm here by checking to see if a user
             // belongs to a certain group or has a certain role.
             // Values of setMaxInactiveInterval exceeding 1440 minutes are
             // treated as one day (1440 minutes).
  
           if (userName == "admin") {
               request.getSession().setMaxInactiveInterval(30);
             }
             // ************************************************************
             return GlideUser.getUser(userName);
          }
 
          this.loginFailed();
 
          return "login.failed";
        },
 
        loginFailed : function() {
          var message = GlideSysMessage.format("login_invalid");
          var gSession = GlideSession.get();
          gSession.addErrorMessage(message);
 
          var userName = request.getParameter("user_name");
          EventManager.queue("login.failed", "", userName, "");
       }
 
}

    Session timeout can also be set according to IP address.

    gs.include("PrototypeServer");
 
var Login = Class.create();
Login.prototype = {
	initialize : function() {
	},
 
        process : function() {
          // the request is passed in as a global
          var userName = request.getParameter("user_name");
          var userPassword = request.getParameter("user_password");
 
          var authed = GlideUser.authenticate(userName, userPassword);
          if (authed) {
 
          // **************************************************************
          // customization - if the user is logging in from a particular IP
          // range starting with XXX.XXX you can implement your own
          // session timeout algorithm here by checking the login IP
          // 
          // Values of setMaxInactiveInterval exceeding 1440 minutes are
          // treated as one day (1440 minutes).
 
          var clientIP = gs.getSession().getClientIP().toString();

          // if client IP starts with specified range
          if (clientIP.indexOf('XXX.XXX') == 0) {  
             // set to 10 hours
             request.getSession().setMaxInactiveInterval(60 * 60 * 10); 
          }
          // ***************************************************************
 
             return GlideUser.getUser(userName);
          }
 
          this.loginFailed();
 
          return "login.failed";
        },
 
        loginFailed : function() {
          var message = GlideSysMessage.format("login_invalid");
          var gSession = GlideSession.get();
          gSession.addErrorMessage(message);
 
          var userName = request.getParameter("user_name");
          EventManager.queue("login.failed", "", userName, "");
       }
 
}