Do you have an Idea how i can modify the Condition, so that maybe a User with "ADMIN" in his name can use login.do?

Should i change the FIlter Criteria from Authentication Scheme to Role Based MFA?

But i cant change the related Lists.

SSO - ACR Context is a allow policy for "Non Local Login Users", so in my understaning it should allowed or?

And Thank you of course for that great answer !

Thanks again for your Reply.

i did your metioned ToDos in the Post Auth Policy Context....

In Table sys_auth_policy_context are 3 REcords.

1. Post Authentication Policy Context

2. Pre Authentication Policy Context

3. SSO - ACR Context

I can NOT add a 4, is that right?

In  "Pre Authentication Policy Context" there is the Deny Policy  "Global Blocking Policy" with no Policy and Condition.

- i guess this runs by default in Order 1

---

then there is "Post Authentication Policy Context"

for this i created add 2 Policies: Authentication Scheme AND has Admin Role

Also i Added two Condtions (in docs they mentioned that they will run like OR) 

1. Authentication Scheme Condition = Authentication Scheme IS SSO

2. as Admin Role Condition = Authentication Scheme IS Username AND Password AND has Admrin ROle IS true

----

i understand that you tell me that i have to these last Steps not in the POST Record i should do it in the "SSO - ACR Context" Record respectively in The Allow Non Local Login Users Policy?

is there a reason why i can to it in the POST?
Is there a specifiy Order for PRE POST/SSO -ACR?

I see there is the Type field in "sys_auth_policy_context " Table

https://docs.servicenow.com/en-US/bundle/utah-platform-security/page/integrate/authentication/concep...

Because of this i thought i can to it also in POST