Vendor Portal Security

Dan Y25 · ‎02-05-2024

Hello,

Has anyone setup additional types of authentication for the TPRM (Third-party risk management) vendor portal (/svdp)?

OOTB uses local accounts using the Vendor Contact records, and there's restrictions for these 3rd party vendor contacts to only access the vendor portal.

For example, any experience setting up MFA or other types of authentication, and if so, any tips on configuring that?

Thank you, Dan

Randheer Singh · ‎02-06-2024

Hi @Dan Y25 ,

Yes, you can enforce MFA for vendor logins. You can use the adaptive authentication - MFA context policy to enforce this security control.

Here is the product documentation.

You can create a role filter criteria with the role(s) provided to vendor portal users.

Then, you can create an adaptive authentication policy and use this criterion. You can add a condition and associate the policy with the MFA context record.

For additional details, please refer to this 30-minute Adaptive Authentication course on NowLearning.

Thanks,

Randheer

View solution in original post

Randheer Singh · ‎04-19-2024

Hi @Dan Y25 .
I'm sorry, I was not explicit in saying you can NOT use the pre-auth context policy.

For your use case, you have to use the post-authentication context policy along with other protections like API access policies and session validation context policy (Available from the W release)

Thanks,

Randheer

View solution in original post

Sameer32 · ‎02-06-2024

I have the same question: Can we set up MFA for vendor portal users? or any authentication?

Randheer Singh · ‎02-06-2024

Hi @Dan Y25 ,

Yes, you can enforce MFA for vendor logins. You can use the adaptive authentication - MFA context policy to enforce this security control.

Here is the product documentation.

You can create a role filter criteria with the role(s) provided to vendor portal users.

Then, you can create an adaptive authentication policy and use this criterion. You can add a condition and associate the policy with the MFA context record.

For additional details, please refer to this 30-minute Adaptive Authentication course on NowLearning.

Thanks,

Randheer

Dan Y25 · ‎04-15-2024

hello @Randheer Singh and team,

We've reviewed the product documentation and not sure how we can handle our situation.

The customer requires IP access controls such that only users who are in authorized network locations (based upon IP address) can access the ServiceNow instance.

The third party users will not be included in those IP access controls, e.g., they are not in an authorized network location, and they will have the external role.

It seems like the IP Filter policy can be setup in the pre authorization context for adaptive authentication to allow authorized users but not sure how that would work for the third party users that do not match the IP filter.

Is there a way to use the IP Filter and MFA role based context to satisfy this use case for the third party portal users?

Thank you, Dan

Randheer Singh · ‎04-19-2024

Hi @Dan Y25 @robspence

You have to use the post-authentication context policy to apply this security. In the pre-authentication context policy, you can not use role/group based conditions.

In addition to that you should also consider using API access policy to apply IP protection for your non-interactive access.

Thanks,

Randheer