Vendor Portal Security

Go to solution
Dan Y25
Tera Contributor

‎02-05-2024 11:37 AM

Hello,

 

Has anyone setup additional types of authentication for the TPRM (Third-party risk management) vendor portal (/svdp)?

 

OOTB uses local accounts using the Vendor Contact records, and there's restrictions for these 3rd party vendor contacts to only access the vendor portal.

 

For example, any experience setting up MFA or other types of authentication, and if so, any tips on configuring that?

 

Thank you, Dan

0 Helpfuls
  • 2,445 Views
2 ACCEPTED SOLUTIONS

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee

‎02-06-2024 07:11 AM

Hi @Dan Y25 ,

 

Yes, you can enforce MFA for vendor logins. You can use the adaptive authentication - MFA context policy to enforce this security control.

 

Here is the product documentation.

 

You can create a role filter criteria with the role(s) provided to vendor portal users.

Then, you can create an adaptive authentication policy and use this criterion. You can add a condition and associate the policy with the MFA context record.

 

For additional details, please refer to this 30-minute Adaptive Authentication course on NowLearning.

 

Thanks,

Randheer

View solution in original post

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee
In response to Dan Y25

‎04-19-2024 08:13 AM

Hi @Dan Y25 .
I'm sorry, I was not explicit in saying you can NOT use the pre-auth context policy.

For your use case, you have to use the post-authentication context policy along with other protections like API access policies and session validation context policy (Available from the W release)

Thanks,

Randheer

View solution in original post

0 Helpfuls
8 REPLIES 8

Go to solution
Dan Y25
Tera Contributor
In response to Randheer Singh

‎04-19-2024 05:30 AM

Thank you, @Randheer Singh, for your reply.

 

The issue we have is that the 3rd party contacts will not pass the IP filter in order to attempt a login, and therefore I assume it will not reach the post-authentication context policy.

 

I assume this is not the first time for this scenario for the TPRM third party portal. 

 

Any advice or suggestions? Or can you check with others?

 

Thanks again, Dan

0 Helpfuls

Go to solution
Randheer Singh
ServiceNow Employee
ServiceNow Employee
In response to Dan Y25

‎04-19-2024 08:13 AM

Hi @Dan Y25 .
I'm sorry, I was not explicit in saying you can NOT use the pre-auth context policy.

For your use case, you have to use the post-authentication context policy along with other protections like API access policies and session validation context policy (Available from the W release)

Thanks,

Randheer

0 Helpfuls

Go to solution
Dan Y25
Tera Contributor
In response to Randheer Singh

‎04-24-2024 09:16 AM

Thank you for the clarifications. I heard some good feedback from our dev team that it's working. Next step is to review with the customer and try in some other environments. 

0 Helpfuls

Go to solution
robspence
ServiceNow Employee
ServiceNow Employee

‎04-18-2024 06:06 AM

Anyone have an answer for the above?

0 Helpfuls