Adaptive Authentication: Force SSO for specific IP ranges, Fallback to ID/Password Login

fukudaryoya
Tera Contributor

5 hours ago

Hi, all

 

I am currently working on implementing Adaptive Authentication in ServiceNow and facing some challenges with configuring the authentication method within the policy conditions.

My Goal:
I want to implement the following login behavior for our franchise stores and employees:

  1. Franchise Store Tablets (accessing from specific IP ranges): Users should be forced to log in via SSO (SAML). These tablets will be accessing ServiceNow via a web browser (not a mobile app).
  2. Employee Tablets (and all other accesses): Users should be able to log in using their standard ID/Password (username/password).

What I have done so far:

  1. Enabled necessary plugins (Multi-Provider SSO, SAML 2.0 Update 1, etc.).
  2. Configured SAML Identity Provider in Multi-Provider SSO for our IdP (IdP metadata imported, confirmed working).
  3. Enabled "Adaptive Authentication" property.
  4. Created an "IP Filter Criteria" (e.g., FranchiseTablet_IPs) that contains the specific IP ranges for the franchise store tablets. (Let's assume these IP ranges are correctly identified and configured).
  5. Created an "Authentication Policy" (e.g., FranchiseTablet_SSO_Policy).
    • Added the FranchiseTablet_IPs filter criteria as a "Policy Input" (using a variable like isFranchiseTabletIP).
    • Added a "Policy Condition" based on this input (e.g., {{isFranchiseTabletIP}} is True).

My current challenge:
My problem is that I cannot find where to set the "Authentication Method" (e.g., "SAML") within the "Policy Condition" record or the main "Authentication Policy" itself.

  • When I open the "Policy Condition" record, there is no "Authentication Method" field or any "Outcome" section.
  • I have tried right-clicking the form header and checking "Configure -> Form Layout" for both the "Authentication Policy" record and the "Policy Condition" record, but I still cannot find a field related to "Authentication Method," "Authentication Channels," or "Policy Result" that would allow me to specify SAML.

Screenshots of my current setup (similar to these, exact English labels may vary):
(You can attach the screenshots you shared earlier here, or describe them if attachment is not possible)

  • [Screenshot 1: Policy Condition record showing UILabel "FranchiseTablet_IP Is True" and "Condition" field]
  • [Screenshot 2: Authentication Policy main record "FranchiseTablet_SSO_Policy" showing "Policy Inputs" and "Policy Conditions" tabs]

My Questions:

  1. Where exactly should I configure the "Authentication Method" (to force SAML) within the Adaptive Authentication policy for a specific condition?
    • Is it under a "Policy Result" section that I'm missing?
    • Is it a field that needs to be manually added to the form layou? If so, what is the exact field name?
    • Could it be configured in a different related list or section that I'm overlooking?
  2. Given my goal, is this the correct approach, or is there a better way to achieve this specific IP-based authentication control (SSO for specific IPs, ID/Password for others)?
  3. Are there any specific plugins or system properties I might have missed that enable this "Authentication Method" selection within Adaptive Authentication policies? (Assuming Multi-Provider SSO and SAML 2.0 Update 1 are already active).

Any guidance, screenshots of your configuration, or links to relevant documentation that precisely covers this specific UI/version would be greatly appreciated!

Thank you in advance for your help.

0 Helpfuls
  • 41 Views
0 REPLIES 0