SSO - allow remote access to single ESS Portal, backend access to company devices only

Tyson3
Tera Contributor

‎08-09-2024 08:46 AM - edited ‎08-09-2024 08:48 AM

Hi All,

Hoping someone has accomplishing something similar.   We have a single SSO provider to allow users to login to the SN platform.  We want to :

  1. Enable remote access (personal devices) to only a single ESS Portal using SSO Provider
  2. Restrict backend access to ServiceNow using company devices only using same SSO provider as #1

I'm struggling to find where we would configure this setup.  Would this be restrictions setup on the SSO provider side or would this be restrictions setup on the SN side, maybe based on IP ranges.   If on the SN side, what features would we use for this?

Thanks in advance if anyone has seen this use case before and has a recommendation!

 

0 Helpfuls
  • 731 Views
10 REPLIES 10

Allen Andreas
Administrator
Administrator

‎08-09-2024 09:02 AM

Hello,

Yes, the SSO is only for authentication, after that, SN determines where the user is or isn't allowed to go on the platform. You would have to determine how...you know...what type of device it is (personal or company)...how would SN know that?

 

If it's by IP...which doesn't tell you that it's an x or y device (unless you can't connect personal devices to your VPN or something), then you would evaluate this via a UI Script and their IP and then redirect their URL if they are trying to go to platform UI.

 

More discussion here: https://www.servicenow.com/community/itsm-forum/is-it-possible-to-restrict-end-users-from-accessing-... 


Please consider marking my reply as Helpful and/or Accept Solution, if applicable. Thanks!
0 Helpfuls

Tyson3
Tera Contributor
In response to Allen Andreas

‎08-30-2024 09:05 AM

Hi Allen,

Thanks for your response before on this.  Quick question on the IP option: We have associates which have company devices and they work remotely.  How would we know their IP is company vs their own internet provider?  It's my understanding that IP address would resolve to a Spectrum or whatever provider they are using even though they are utilizing a company device.

0 Helpfuls

andreasicf
Tera Contributor
In response to Tyson3

‎08-30-2024 10:51 AM - edited ‎08-30-2024 10:52 AM

Ignore

0 Helpfuls

Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎08-11-2024 01:58 AM

Hi @Tyson3 ,
You may want to explore the zero-trust access feature. This feature allows you to dynamically control access based on policies. You can use the attribute shared by your IdP (to indicate if the device is managed or personal) as part of the SAML login response in your policy. Here is the documentation.

Zero Trust Access - reduce access based on IdP attribute copy.jpeg


Using this policy, you can limit the session roles for the user when they are using a personal device.

Please feel free to reach out to me, if you need more details.
Thanks,

Randheer

0 Helpfuls