ServiceNow’s Side Door
This is a trick that all ServiceNow Admin’s should have an awareness of.
If your company uses SSO or has plans to implement it in the future – you’ll need to understand the Side Door.
There is functionality baked into the ServiceNow platform that allows direct access to the login page of every single ServiceNow environment. Only ServiceNow admins should be aware of this functionality because it allows users to bypass your SSO.
It doesn’t matter if SSO is setup. This is commonly referred to as “The Side Door” or “/side_door.do”. It is actually not even documented on the ServiceNow website – only briefly discussed in the ServiceNow Community site.
It can really help out during troubleshooting of SSO issues or if you ever have to get around forced SSO in an environment.
How To Access The Side Door
Accessing the side door could not be easier – it’s a simple URL configuration.
Once you navigate here for your ServiceNow environment, you’ll end up at the login page. The login page is auto redirected to the /navpage.do page. You need to be logged out of the ServiceNow environment to access the side door. You get an error if you try to do so when already logged in. If you want to test it out, spin up an incognito window and try to access it.
So the end result of hitting the side door is the native login page of your ServiceNow environment.
Putting it together, accessing side door quickly redirects a user to the following login page:
https://INSTANCE_NAME.service-now.com/navpage.do
Assuming that this out of box page (/navpage.do) has not been modified, it will look like the below image.
Why Would You Use The Side Door
Why are we even discussing /side_door.do? What’s the actual benefit here for you as a ServiceNow admin?
It allows you to bypass SSO when you’re troubleshooting a login issue.
So imagine a scenario where your company has SSO setup. Each time a new session hits the ServiceNow environment, you’re routed through some popular SSO website like Okta or Microsoft.
What if the SSO configuration is either broken or having redirect issues? What if you are currently unable to access SSO but you need access to the ServiceNow environment?
The reasons for needing to utilize the Side Door are endless.
While the information here is open to the public, it’s obviously something that only a few users at a company should be engaging in. I would not recommend giving this information to ITIL or end users in your ServiceNow Platform. The ServiceNow admins should be the ones that find themselves in scenarios where they may need to troubleshoot platform wide SSO issues, where using side door is appropriate and necessary. We can’t really currently control who accesses the side door, so it’s best to keep the tribal knowledge if it’s existence to just the ServiceNow team. SSO Providers exist for a reason, and we can’t think of a good reason for an end user to ever need to access the side door to door their day job in ServiceNow.
Something interesting to note is that technically, one can access any ServiceNow environment with knowledge of the Side Door. This sounds like it could be a potential security vulnerability and I don’t think it’s talked about enough. Obviously the security of environments is stellar at ServiceNow and their are even Bug Bounties held at ServiceNow to keep bad actors away. But to this day, the side door lives on and users can still access it without an issue. There certainly could come a time when ServiceNow removes the side door functionality. But until that day comes, use it responsibly and in scenarios where you are not performing any actions that would cause a security incident.
