SSO and Local Login with MFA

Go to solution
Kenta Koizumi
Kilo Sage
Kilo Sage

‎11-18-2024 04:48 PM

Hello community,

 

I wanna realize below usecase. 

 - for one user, he needs to use SSO to login. 

 - for the other user, he can use local login with MFA. 

 

Is it possible?

And if I can, how can I configure these settings?

 

Thank you for your kind help in advance. 

  • 2,222 Views
2 ACCEPTED SOLUTIONS

Go to solution
Juhi Poddar
Kilo Patron

‎11-18-2024 06:21 PM

Hello @Kenta Koizumi 

 

Yes, it is possible to configure ServiceNow to allow one user to use SSO while another user uses local login with MFA. This can be achieved by setting up authentication rules to determine how users are authenticated.

 

Please refer this:

Enforce multi-factor authentication (MFA) based on the IP Network

Multi-factor authentication with single sign-on

 MFA (Multi-Factor Authentication) policy context

 

"If you found my answer helpful, please give it a like and mark it as the "accepted solution". It helps others find the solution more easily and supports the community!"

 

Thank You
Juhi Poddar

View solution in original post

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎11-18-2024 06:39 PM

Hi @Kenta Koizumi ,
Yes, it is possible. 

If you are facing an issue with the ACR context policy, you can update it to allow specific users (based on role/group) to keep using username and password-based login. Here is an example. I have created "has snc_external role" role filter criteria, associated with the ACR policy and updated the condition so that it evaluates to false for snc_external users performing username and password based login.

RandheerSingh_0-1731983661772.png

 


The next step would be to enable the MFA context policy to enforce MFA for all logins with an authentication scheme as username and password.
Thanks,

Randheer

View solution in original post

3 REPLIES 3

Go to solution
Juhi Poddar
Kilo Patron

‎11-18-2024 06:21 PM

Hello @Kenta Koizumi 

 

Yes, it is possible to configure ServiceNow to allow one user to use SSO while another user uses local login with MFA. This can be achieved by setting up authentication rules to determine how users are authenticated.

 

Please refer this:

Enforce multi-factor authentication (MFA) based on the IP Network

Multi-factor authentication with single sign-on

 MFA (Multi-Factor Authentication) policy context

 

"If you found my answer helpful, please give it a like and mark it as the "accepted solution". It helps others find the solution more easily and supports the community!"

 

Thank You
Juhi Poddar

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎11-18-2024 06:39 PM

Hi @Kenta Koizumi ,
Yes, it is possible. 

If you are facing an issue with the ACR context policy, you can update it to allow specific users (based on role/group) to keep using username and password-based login. Here is an example. I have created "has snc_external role" role filter criteria, associated with the ACR policy and updated the condition so that it evaluates to false for snc_external users performing username and password based login.

RandheerSingh_0-1731983661772.png

 


The next step would be to enable the MFA context policy to enforce MFA for all logins with an authentication scheme as username and password.
Thanks,

Randheer

Go to solution
Kenta Koizumi
Kilo Sage
Kilo Sage

‎11-20-2024 12:13 AM

@Juhi Poddar @Randheer Singh 

Thank you for your advice.

 

Additional question is about login page.

Can I prepare each login page for them?

 

In my understanding, when users try to login, SSO is necessary for all.

If SSO is failed, then users can login by local with MFA.

However it is not convenient for users.

0 Helpfuls