Adaptive Authentication use case for ACME Bank

Overview
Adaptive Authentication policy framework enforces contextual authentication controls to the right user at the right time. It uses authentication policies to evaluate authentication requests and then either allows or denies access to the instance based on the specified policy condition.
Click here to read more about Adaptive Authentication

Use Case for ACME Bank

ACME bank has an organisational requirement to allow employees and contractor to access the ServiceNow instance from the trusted IP range. If these criteria are not full filled, the access should be denied.
The existing IP address access control cannot be implemented here because it only allows to whitelist or blacklist IP address and doesn’t provide a way to restrict access based on roles/ groups. Hence we have to implement this scenario using the adaptive authentication feature.

Implementing the adaptive authentication feature for ACME bank, we will
1. Enforce IP and Role based restriction on bank contractor and employees while accessing ServiceNow instance.
2. Block access for everyone else.

Implementation of Use case for ACME Bank

The user case for ACME bank can be implemented using adaptive authentication feature. You have to login as an admin and follow the below steps for implementing this case.

1. Activate adaptive authentication plugin

Follow the steps to activate the adaptive authentication plugin.

1. Navigate to All > System Applications > All Available Applications > All.
2.  Find the Adaptive Authentication (com.snc.adaptive_authentication) plugin using the filter criteria and search bar. You can search for the plugin by its name or ID. If you cannot find a plugin, you might have to request it from ServiceNow personnel.
3. Select Install, and then in the Activate Plugin dialog box, select Activate.

2. Configure adaptive authentication policy

After activating Adaptive Authentication, configure adaptive authentication properties according to your security requirements.
Procedure:

1. Navigate to All > Adaptive Authentication > Authentication Policies > Properties.
2. Configure these Adaptive Authentication properties:

3. Create an IP filter criteria and role filter criteria.

IP filter Criteria

Create 2 IP filter criteria

1. IP Filter criteria for ACME Bank employee (172.2.13.6/16)
2. IP Filter criteria for ACME Bank contractor (10.2.3.6/24)

Procedure
To create a IP filter criteria for ACME Bank Employee:

1. From the left sidebar, navigate to Adaptive Authentication > Filter Criteria > IP Filter Criteria
2. Click New.
3. On the form, fill in the Name and Description.
4. To enter the IP ranges, double-click Insert a new row. For a range of IP addresses enter 172.2.13.6 in the Start IP column and 172.2.13.16 in the End IP column.
5. Click on Submit to save the IP filter.

Create another IP filter criteria for ACME BANK contractor with IP address 10.2.3.6/24 following the above steps.

Role Filter criteria

Create 2 Role filter criteria

1. Role filter criteria for ACME bank employee
2. Role filter criteria for ACME bank contractor

Procedure

1. From the left sidebar, navigate to Adaptive Authentication > Filter Criteria > Role Filter Criteria
2. Click New.
3. On the form, fill the Name and Description.
4. Under Condition, select Role is Contractor .
5. Click on Submit to save the Role filter. 

Create another IP filter criteria for ACME BANK employee with Role is employee following the above steps.

4. Create a policy

Here we will create authentication policy with allow access to the created IP and Role filter criteria

Procedure

1. Navigate to All > Adaptive Authentication > Authentication Policies > All Policies
2. Click the New button to create a new policy record.
3. In the Policy form, fill in the Name and Description fields.
4. From the Policy Inputs tab, click Edit.
5. Select the 2 IP filter and 2 role filter criteria created above from the Collection list and move them to Policy Inputs List of Allow Access Policy list.
6. Click on Save. 
7. From the Policy Conditions tab, create 2 New policy condition. 

• Policy condition for ACME bank Employee
• Policy condition for ACME bank Contractor.

1. For creating policy condition for ACME bank contractor , click on Policy Condition tab.
2. Click on New.
3. On the form, fill the Label and Description
4. Create 2 condition using the IP and role filter criteria. ACME bank Contractor role is true AND ACME bank Contractor IP is true
5. Click on Submit to save the Policy Condition
6. Follow the same steps to create a policy condition for ACME bank Employee.
7. Click on Update to save the data.

5. Configure post authentication policy context.

The Post Authentication policy context defines how and when a policy is enforced during the login process.
Procedure

1. Navigate to All > Adaptive Authentication > Auth Policy context > Post authentication context
2. Select Default policy as Allow policy.
3. Select the Allow policy as ACME bank policy (policy created above).
4. Click on Update.
   

Result
The policy will allow access to only the ACME bank employees having IP address 172.2.13.6/16 and ACME bank Contractors having IP address 10.2.3.6/24.