Disable local login i.e. login.do for non-admin users which have SSO enabled

Dinesh90
Tera Contributor

‎07-03-2025 07:03 AM

Hello ServiceNow Community,

 

I have a requirement to disable local login i.e. login.do for non-admin users which have SSO enabled.

Please help me with the solution to implement to restrict local login(login with username & password) that is login.do for non-admin users and allow admins and integration users to have local login.

 

I have SSO enabled in the instance already for the same we want to restrict users to use local login(login.do).

please help with solution to implement 

 

Thanks

0 Helpfuls
  • 2,323 Views
23 REPLIES 23

Dinesh90
Tera Contributor
In response to Maik Skoddow

‎07-03-2025 08:50 AM

hi @Maik Skoddow , if we update their password with a random string and if they try to login with their old password so if they try login multiple times so their profile will be locked out right ?

0 Helpfuls

Dinesh90
Tera Contributor
In response to Maik Skoddow

‎07-03-2025 09:01 AM

@Maik Skoddow  : we have not enabled the user provisioning(this is not for new user profile), so we have to restrict the local login for the existing servicenow users who already having their servicenow profile and having credentials with them.

 

0 Helpfuls

Ambuj Tripathi
ServiceNow Employee
ServiceNow Employee

‎07-10-2025 02:23 AM

Hi @Dinesh90 

 

There is a feature - Adaptive Authentication, in which we can restrict the user logins based on their login types, roles that user has, groups that user belongs to, location of the user etc etc. This is an OOB core plugin and should be available already in the recent releases. If not, then please install the adaptive authentication plugin and enable the adaptive authentication feature property - glide.authenticate.auth.policy.enabled = true.

 

The way to implement this constraint with Post Auth Policy is this - 

https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/conc...

 

In the Post auth policy context, you can create the policy to allow only admin users to do the local login. Here is how to craft the policy condition - 

 

Policy Inputs (need to create it if not already available) - 

1: Role Filter Criteria - hasAdminRole (role = admin)

2: Authentication Type ( Authentication type = username and password / SSO Login)

 

AmbujTripathi_1-1752137953176.png

 

------------------------------------------------------------------------------------

Policy condition - 

hasAdminRole = true AND Authentication Type = "Local Login"

OR

Authentication Type = "SSO Login"

------------------------------------------------------------------------------------

 

AmbujTripathi_0-1752137921961.png

 

This should be sufficient as it will make sure if the user is logging via the user name and password, then only it can do the local login. However, with this, all the users will be able to login with SSO including admin users. If you want to further refine and dont want to allow the admin users to do sso login, you can add hasAdminRole condition in the second part with hasAdminRole = false.

 

---------------------------------------------------------------------------------------------------------------------------------------------

 

Second approach (recommended) -

The recommended way is to enable the Account Recovery feature if you want to only allow certain users to do the local login and force all the users to do the SSO Login.

This ensures that if something goes wrong with the SSO Config like certificates expired etc etc, you have the account recovery user to do the local login and make the required changes to fix the SSO Login issue.

 

This can be achieved via the other ways also, but I am recommending to use the ACR context only because, it will ensure that the admin users which are doing the local login have their accounts secured with second factor aka MFA.

 

As we are trying to enforce the MFA For all users doign local login from Yokohama onwards, it would be better to have an additional layer to security around the admin user logins.

https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/single-sign-on/conc...

 

However, there is a downside of this approach. The account recovery user will not have the admin privileges anymore and it will have limited access to fix the SSO related conifgurations.

 

 

 

Having said that, you can explore and evaluate both the approaches from both security and usability perspective and go with the one that suits better for you.

 

Please let me know if you have any further queries. If you have any queries on the adaptive authentication, there are plenty of resources/documentation available online and in the community.

 

@Randheer Singh 

 

Thanks!

Ambuj

0 Helpfuls

Dinesh90
Tera Contributor
In response to Ambuj Tripathi

‎07-10-2025 03:20 AM

Thank you for your detailed approaches, I would like to know what if I'll proceed with updating the installation exists ? is that not recommended ?

I have 2 installation exists in the system, with name "login", "MultiSSOLogin".

Installation exists- "MultiSSOLogin" overrides the "login" record.

0 Helpfuls

Ambuj Tripathi
ServiceNow Employee
ServiceNow Employee
In response to Dinesh90

‎07-10-2025 04:43 AM

You can achieve the same through installation exits as well, however its recommend  to use the Adaptive authentication simply because -

1: You need not to maintain the customisations in IEs going forward if you use OOB Adaptive Authentication setup.

2: You have more fine control over the behaviour and OOB setup can be easily extended for any other future use cases, in case if there are changes in the current requirement.

...

Yes, need to customise the MultiSSOLogin IE as you are using SSO feature.

0 Helpfuls