Skip to main content

Authentication

Squid leverages ServiceNow's native authentication mechanisms rather than implementing its own. This ensures consistency with your existing ServiceNow security posture and eliminates the need to manage separate credentials.

How Authentication Works

ServiceNow Session Authentication

All Squid API requests are authenticated through ServiceNow's standard session management:

ServiceNow Session Authentication FlowSquid leverages ServiceNow's native authentication rather than implementing its own. This ensures consistency with existing ServiceNow security posture. AUTHENTICATION FLOW - STEP 1: The API client (an authenticated integration or service) sends a request to ServiceNow. ServiceNow Auth validates the session and credentials. Supported authentication methods include Basic Authentication (username/password), OAuth 2.0 (token-based), LDAP/SSO (federated identity), and Mutual TLS (certificate-based). The authentication method is transparent to Squid. AUTHENTICATION FLOW - STEP 2: After ServiceNow validates the session, the request reaches the Squid API. Squid then checks if the authenticated user has the x_a46gh_squidx.rest role. If the user lacks this role, Squid returns HTTP 403 Forbidden. If the user has the role, the request proceeds to configuration authorization. KEY POINTS: Squid relies entirely on ServiceNow for authentication - it only sees the authenticated session. The x_a46gh_squidx.rest role is required for ALL Squid API calls. This role check happens after ServiceNow authentication succeeds. Users without the rest role cannot access any Squid endpoints regardless of their other ServiceNow roles or permissions.ClientAPI consumer(authenticated)1ServiceNow AuthValidates sessionand credentials2Squid APIChecks for role:x_a46gh_squidx.rest1Client authenticates to ServiceNow (Basic Auth, OAuth, SSO, mTLS)2Squid verifies authenticated session and checks for x_a46gh_squidx.rest role

Supported Authentication Methods

Squid supports all authentication methods that ServiceNow supports, including:

  • Basic Authentication - Username and password
  • OAuth 2.0 - Token-based authentication
  • LDAP/SSO - Federated identity
  • Mutual TLS - Certificate-based authentication

The authentication method is transparent to Squid - it only sees the authenticated ServiceNow session.

The rest Role Requirement

Every API request to Squid requires the authenticated user to possess the x_a46gh_squidx.rest role. This is the first security checkpoint.

A note on terminology

Strictly speaking, role checks are authorization (what can you do?) rather than authentication (who are you?). We document the rest role here because it answers a practical question: "Can I use Squid at all?" The ServiceNow session plus the rest role together form the entry gate. Once past this gate, Authorization covers what specific data you can access.

Why a Dedicated API Role?

The rest role serves several purposes:

  1. Explicit Opt-In - Users don't accidentally get API access
  2. Separation of Concerns - API access is distinct from UI access
  3. Audit Trail - Easy to identify who has API access
  4. Principle of Least Privilege - Only grant API access where needed

Authentication Errors

When authentication fails, Squid returns appropriate HTTP status codes:

Status CodeMeaning
401 UnauthorizedNo valid ServiceNow session
403 ForbiddenSession valid but lacks rest role

Service Account Best Practices

For production integrations, use dedicated service accounts rather than personal user accounts:

Creating a Service Account

  1. Create a new user in ServiceNow (e.g., squid_integration_accounting)
  2. Assign the x_a46gh_squidx.rest role
  3. Assign configuration-specific roles as needed (e.g., x_a46gh_squidx.defaultAccess)
  4. Do NOT assign the admin role

Service Account Naming Conventions

Adopt a consistent naming convention to identify service accounts:

squid_{purpose}_{system}

Examples:
- squid_cmdb_export_servicenow
- squid_asset_sync_sccm
- squid_ci_data_monitoring

Single-Use Instance Protection

Squid implements a safeguard against request reuse attacks. Each Squid instance is single-use, preventing potential state leakage between requests.

Network Security Considerations

While Squid relies on ServiceNow for authentication, consider these network-level security measures:

TLS/HTTPS

All communication with ServiceNow (and therefore Squid) should use HTTPS. ServiceNow enforces this by default.

IP Allowlisting

Consider restricting API access to known IP addresses using ServiceNow's IP access control features.

VPN/Private Connectivity

For highly sensitive data, consider using ServiceNow's VPN connector or private service connect options.

Last updated on
We track. Ok?