Hi @Dinesh90 

Yes, your requirement can be achieved by the Adaptive Auth policy I have explained earlier.

You have only two categories of users - 

1) Users with admin role - will be allowed to do local login, as well as sso login.

2) Users without admin role - will not be allowed to do local login. Can only login via SSO. All such users have their SSO Source field populated.

You have the option to add the UI Info msg for end users that can be configured as per your requirement.

This is the property I am referring to precisely - glide.auth.policy.ui.error.message.

Here is the Video to kickstart with Adaptive Authentication - https://www.youtube.com/watch?v=rIQNf4M7LyU

Documentation - https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/conc...

Thanks!

@Ambuj Tripathi - we have some users for whom SSO is not working so we have to allow local login for them but according to your policy it will restrict all the non admin users with local login and that won’t work becoz we have to allow some users to do local login 

how we can achieve that ? 3 use cases 

1) allow local login to admins 

2) restrict local login for users who have SSO configured 

3) allow some users local login for whom SSO is not working 

Hi @Dinesh90, There is no direct way to validate if a user has SSO Source field populated through the above AA policy framework. However, the workaround for this would be to add all the 3rd category of users into a group and allow them to do the local login via that group unless you get their SSO logins fixed.

Via group here I mean, there is a group filter criteria in this policy framework which can be used as input along with the other criterias. So in short, the condition would be like - 

hasAdminRole = true AND Authentication Type = "Local Login"

OR

Authentication Type = "SSO Login"

OR

isPartOfSsoExemptedUsersGroup = true AND Authentication Type = "Local Login"

isPartOfSsoExemptedUsersGroup is a group type filter criteria and needs to be created and added as input to the policy.

Here it wouldn't be much harder for you to add these category of users into a separate group via some backgorund script. You can also write a scheduled job or automate this for new users, but upto you how you want this to be implemented.

Apart from that, I dont see a simpler approach to achieve that apart from customisations.

Great thanks Ambuj 

but achieving this scenario checking the SSO source field will be easy and simpler in the Installation exist, if we modify that multi login SSO IE 

so there we can check if user is having the SSO source then restrict local login and allow admins only 

what are your thoughts on this ? 

also on the other post of MFA enforcement I have added one query for you today, can you pls check that as well ? 
I have enabled the mfa checkbox in the user record but there are not entry in MFA enforcement table when user login and i have checked user is login in the instance but entry is not getting created in the MFA table so that we can enforce MFA,

I have replicated the same user profile, a demo user and that is working fine for MFA