Vendor Portal Security

Dan Y25
Tera Contributor

Hello,

 

Has anyone setup additional types of authentication for the TPRM (Third-party risk management) vendor portal (/svdp)?

 

OOTB uses local accounts using the Vendor Contact records, and there's restrictions for these 3rd party vendor contacts to only access the vendor portal.

 

For example, any experience setting up MFA or other types of authentication, and if so, any tips on configuring that?

 

Thank you, Dan

2 ACCEPTED SOLUTIONS

Randheer Singh
ServiceNow Employee
ServiceNow Employee

Hi @Dan Y25 ,

 

Yes, you can enforce MFA for vendor logins. You can use the adaptive authentication - MFA context policy to enforce this security control.

 

Here is the product documentation.

 

You can create a role filter criteria with the role(s) provided to vendor portal users.

Then, you can create an adaptive authentication policy and use this criterion. You can add a condition and associate the policy with the MFA context record.

 

For additional details, please refer to this 30-minute Adaptive Authentication course on NowLearning.

 

Thanks,

Randheer

View solution in original post

Hi @Dan Y25 .
I'm sorry, I was not explicit in saying you can NOT use the pre-auth context policy.

For your use case, you have to use the post-authentication context policy along with other protections like API access policies and session validation context policy (Available from the W release)

Thanks,

Randheer

View solution in original post

8 REPLIES 8

Thank you, @Randheer Singh, for your reply.

 

The issue we have is that the 3rd party contacts will not pass the IP filter in order to attempt a login, and therefore I assume it will not reach the post-authentication context policy.

 

I assume this is not the first time for this scenario for the TPRM third party portal. 

 

Any advice or suggestions? Or can you check with others?

 

Thanks again, Dan

Hi @Dan Y25 .
I'm sorry, I was not explicit in saying you can NOT use the pre-auth context policy.

For your use case, you have to use the post-authentication context policy along with other protections like API access policies and session validation context policy (Available from the W release)

Thanks,

Randheer

Thank you for the clarifications. I heard some good feedback from our dev team that it's working. Next step is to review with the customer and try in some other environments. 

robspence
ServiceNow Employee
ServiceNow Employee

Anyone have an answer for the above?