Multifactor Authentication and SSO compatibility

antonioferrari
Tera Contributor

‎02-14-2018 05:11 AM

Hi everybody,

provided I've read page Multifactor authentication , I know that Multifactor Authentication provided OOTB by ServiceNow is not supported with SSO.

Anyway I'd like to know if this scenario according to you could work. We want to divide users into two disjoint sets:

- SET "A" will contain users that will access ServiceNow only via SSO provided by an external Identity Provider. This users will have "Enable Multifactor Authentication" field set to "false" (MFA disabled) and won't be able to access ServiceNow with local DB credentials (they will have a random generated password that won't be furnished to them). The Identity Provider will be configured to use its own MFA methods in case of access out the intranet. This MFA has nothing to do with ServiceNow and is up to the IdP to let it work.

- SET "B" will contain users that will access ServiceNow only via Local Database credentials. These users will access ServiceNow calling "side_door.do" or "login.do" page and will have "Enable Multifactor Authentication" set to "true". They can't access ServiceNow via SSO.

This is because our Customer wants that some admin users must exist in case SSO doesn't work, they must access SN only via side_door and their access must be secured by MFA.

Do you think that scenario with set A and B will work? Do you advice possible problems?

Best regards,

Antonio Ferrari

  • 2,953 Views
6 REPLIES 6

Morten Petters1
Mega Contributor

‎05-30-2019 05:49 AM

Interesting question, I'm hoping someone can answer it 🙂

0 Helpfuls

Todd_Goodhew
Kilo Guru

‎11-01-2019 10:37 AM

Yes this scenario will work just as you described.

I did this at my last job for the same reasons you outlined.  I accessed our instances both ways...via SSO through a 3rd party product and also via login.do.  I used SSO primarily, but would use login.do sometimes if there was an issue with my AD account or the SSO provider.

The only issue ever encountered was forgetting the password.

 

 

 

0 Helpfuls

Collin R
Kilo Contributor
In response to Todd_Goodhew

‎06-03-2021 11:02 PM

Hi Todd,

did your single account uses SSO and MFA at the same time?
If using SSO, no MFA was requered, but using login.do or side_door.do it requered to use MFA?

In our case, we want to force enable MFA for every user and trigger MFA only when they want to use login.do or side_door.do...

Your answer would help our case a lot.

Kind regards,

Collin

0 Helpfuls

Anna T_
Tera Expert
In response to Collin R

‎07-17-2024 11:04 AM

Hi Collin,

 

Did you ever figure this out?

 

Thanks!

Anna

0 Helpfuls