Our company's MFA fails when "glide.authenticate.mfa.with.multisso.enabled" is enabled

Dasco
Tera Contributor

We recently upgraded our ServiceNow sub-production instances from Xanadu to Yokohama and are
currently conducting UAT.

During testing, we received a notification that MFA will be enabled for all users performing non-SSO logins and that action is required (review KB1700938).

https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1700938

The document states that for existing customers upgrading their instance to Yokohama or later releases,
if the instance does not already have the adaptive authentication – MFA context policy enabled, a
default MFA policy will be automatically activated.


If record "glide.authenticate.mfa.with.multisso.enabled" is disabled in sys properties (which is our current setup), when logging in with either a local account, or via SSO, we are prompted for MFA using our Microsoft
Authenticator app. A number is displayed on the screen, which we enter into the Microsoft
Authenticator app, or we can opt to receive an SMS.

If record "glide.authenticate.mfa.with.multisso.enabled" is enabled in sys properties, our users will be prompted for ServiceNow's MFA in addition to our current MFA setup when logging into ServiceNow.

I need help to ensure our existing MFA (company default MFA ) is not impacted by the proposed change that ServiceNow is planning when enabling MFA by default as per the KB.

Can you please advise how to achieve this desired outcome?







2 REPLIES 2

Simon Christens
Kilo Sage

Hi,

Only local servicenow users as well as LDAP users will be impacted by the MFA that gets activated in Yokohama.

If you are using SSO where you gets redirected for authentication then the users shouldnt be impacted in any way.

 

If you insist of disabling the MFA enforcement in Yokohama then its possible though not recommended.

 

Disable:

Go to Multi-factor Authentication --> MFA Context --> Deactivate Policy

Go to: https://<instance>.service-now.com/system_properties_ui.do?sysparm_use_polaris=false&sysparm_category=MultifactorAuthDisable&sysparm_title=Reason%20for%20Turning-off%20Multi-factor%20Authentication

Provide a reason for turning off MFA --> Save

Go to Multi-factor Authentication --> Properties --> Remove check on "Enable Multi-factor authentication" and Save

 

Re-Enable:

Go to Multi-factor Authentication --> MFA Context --> Activate Policy
Reason is reset and MFA property is enabled again

Hi Simon,
Thank you for your response to my question on the community forum. Your ideas have given me some good options to explore. I will look into them and see how they work out. Many thanks for your valuable input!