Authentication policy contexts

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Authentication policy contexts

    Authentication policy contexts in ServiceNow define when and how authentication policies are enforced during the login process. Assigning policies to specific contexts allows you to control access based on different stages of user authentication, improving security and user management.

    Show full answer Show less

    Authentication Policy Contexts

    • Pre-authentication context: Executes policies before users see the login screen. It allows or denies access without user credentials and cannot evaluate user-specific criteria such as roles or groups.
    • Post-authentication context: Executes after users enter credentials or SSO responses. Policies here can use user information to grant or deny access based on authentication data.
    • MFA (Multi-Factor Authentication) context: Determines whether multi-factor authentication is enforced during login, based on the assigned policies.
    • Account recovery context: Enables administrators to configure account recovery activities, such as handling SSO misconfigurations or expired certificates. At least one admin must be registered as an account recovery user before activating single sign-on.
    • Session Validation context: Integrates with the Adaptive authentication policy framework to evaluate ongoing session authentication requests, allowing or denying access based on policy conditions.

    Default Policy

    Within each authentication policy context, you can set a default policy that defines how the instance responds to the outcome of the evaluated policy. The available default options vary depending on the context and guide the automatic handling of authentication results.

    Use authentication policy contexts to determine how and when your instance enforces authentication policies.

    Authentication contexts define how and when a policy is enforced during the login process. Assign a policy to a policy context to define inputs and conditions regarding how your instance handles authentication.

    Pre-authentication context

    Policies in the pre-authorization context execute when a user first accesses the instance, before the they see a login screen. You can use the pre-authorization context to allow or deny access before your users are prompted for login credentials based on your selected policy. Because these policies evaluate before a user enters any information, those policies cannot take criteria such as a user's roles or groups into account.

    For more detail on this context, see Pre authentication context.

    Post-authentication context

    Policies in the post-authorization context execute after your users enter their credentials or SSO response. Your instance allows or denies access based on your selected policy. Because your users have identified themselves via their login credentials, the policy can use user information to determine whether to grant access.

    For more detail on this context, see Post-authentication context.

    MFA (Multi-Factor Authentication) context

    Policies assigned to the MFA context define whether to enforce MFA during the login process. Whether your instance enforces MFA is determined by the configuration of policies in this context. For more detail on this context, see MFA (Multi-Factor Authentication) context.

    Account recovery context

    Administrators can configure account recovery (ACR) to perform recovery activities such as addressing SSO misconfiguration or expired certificates. To use account recovery, you must register at least one admin account as an account recovery user. Single sign-on can’t be activated on your instance until there is at least one account configured. For more information about the context that can be set, see Account recovery context.

    Session Validation context

    The Session Validation context can be used with the Adaptive authentication policy framework. The framework uses authentication policies to evaluate authentication requests (session) and then either deny or allow access based on policy conditions. For more information, see Session validation context.

    Default policy

    Within the policy context, you can define a default policy in the Default Policy field. This default defines how your instance responds to the result of your policy. The available default policy options are determined by which context you are using. Detail on these options can be found in the docs describing these individual contexts.