Vendor Contacts login with Account Recovery enabled

Go to solution
Lane3
Tera Contributor

‎01-02-2024 09:35 PM

Is it possible to allow vendor contacts (third-party contacts) to login using local authentication in an instance with Account Recovery enabled? 

 

When enabled, Account Recovery prevents local logins except for configured Account Recovery users. This is preventing newly created vendor contacts from successfully logging into the svdp portal. Disabling Account Recovery resolves the login issue, but this solution is not ideal because the Account Recovery tool is recommended by ServiceNow to provide enhanced security. 

 

Thanks for any insights you can provide!

Preview file
42 KB
0 Helpfuls
  • 728 Views
1 ACCEPTED SOLUTION

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎01-03-2024 06:28 AM

yes, it is absolutely possible. You can modify the policy associated with the account recovery context. You can add a new condition in the policy to allow vendor users.

You can create a role filter criteria with the vendor contact role and use it in the account recovery context allow policy.

 

ACR Policy Modified.jpg

ACR modified conditions.jpg

 

  

ACR condition details.jpg

 

 

Here is the documentation 
https://docs.servicenow.com/bundle/utah-platform-security/page/integrate/single-sign-on/concept/acco...

 

Thanks,

Randheer

View solution in original post

0 Helpfuls
3 REPLIES 3

Go to solution
Maik Skoddow
Tera Patron
Tera Patron

‎01-02-2024 11:54 PM

Hi @Lane3 

as you can read on https://docs.servicenow.com/bundle/vancouver-platform-security/page/integrate/single-sign-on/concept... the account recovery feature is only intended for

  1. scenarios with enabled SSO
  2. user with admin roles & resposibilities

To my mind, it's highly critical and a security breach if you assign a vendor the acr_admin role! 

From a customer instance with enabled SSO I can tell you, that we don't have enabled account recovery. 

Maik

0 Helpfuls

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎01-03-2024 06:28 AM

yes, it is absolutely possible. You can modify the policy associated with the account recovery context. You can add a new condition in the policy to allow vendor users.

You can create a role filter criteria with the vendor contact role and use it in the account recovery context allow policy.

 

ACR Policy Modified.jpg

ACR modified conditions.jpg

 

  

ACR condition details.jpg

 

 

Here is the documentation 
https://docs.servicenow.com/bundle/utah-platform-security/page/integrate/single-sign-on/concept/acco...

 

Thanks,

Randheer

0 Helpfuls

Go to solution
Lane3
Tera Contributor

‎01-03-2024 08:06 AM

Thank you @Randheer Singh!

0 Helpfuls