Filter criteria

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Filter criteria

    Filter criteria, also known as policy inputs, are essential components used in authentication policies within ServiceNow's Zurich release to evaluate and verify authentication requests. These criteria allow you to apply conditions based on specific user attributes or contexts such as IP address, roles, groups, and more. They are configured in the Policy conditions section of your authentication policies to ensure that access requirements are met.

    Show full answer Show less

    Note that some filter criteria, like Location and Identity Provider filters, are available only with the Zero Trust Access feature.

    Key Features

    • IP Filter Criteria: Filters users based on their IPv4 or IPv6 addresses.
    • Role Filter Criteria: Filters users according to assigned roles.
    • Group Filter Criteria: Filters users based on their group memberships.
    • Location Filter Criteria: Filters users based on geographic or network location (requires Zero Trust Access).
    • Identity Provider Attribute Filter Criteria: Uses SAML response attributes from the Identity Provider for filtering.

    Generic Filter Criteria

    In addition to the above, there are four generic filter criteria available when adding policy inputs, which provide more granular control:

    • Authentication Scheme: Filters based on whether the user authenticates via local login (Username and Password) or Single Sign-On (SSO) methods such as SAML, OIDC, or Digest. This is available only if the Multiple Provider Single Sign-On Installer plugin is installed.
    • Identity Provider: Filters based on the user's identity provider reference, allowing precise control over login processes. Also requires the Multiple Provider Single Sign-On Installer plugin.
    • Role-based MFA: Boolean filter indicating if role-based Multi-Factor Authentication is enabled for the user.
    • User-based MFA: Boolean filter indicating if user-based Multi-Factor Authentication is enabled.
    • Trusted Mobile App: Filters to enable access from trusted mobile applications.

    Practical Use for ServiceNow Customers

    By leveraging these filter criteria, ServiceNow customers can tailor authentication policies to enhance security and compliance. For example, you can restrict access based on user roles, enforce MFA selectively, or limit logins from specific IP ranges or locations, aligning with your organization's security posture. The integration with Zero Trust Access and Multi-SSO capabilities further empowers you to implement robust, context-aware authentication flows.

    Filter criteria (also called policy inputs) are used as inputs for policy conditions to verify and meet the requirements of an authentication request.

    Use filter criteria to supply information authentication policies such as a user's IP address, roles, or groups. Add these criteria in the Policy conditions section of your policies.

    There are seven types of filter criteria used in adaptive authentication. Your authentication policies can use one or more of these criteria to evaluate authentication requests.

    Note:
    Location filter and Identity Provider filter are available with Zero Trust Access feature. For more information, see Zero Trust Access (ZTA).
    Table 1. Filter criteria types
    Type Description
    IP filter criteria Use IP filter criteria to filter users based on the user's IP addresses. Both IPv4 and IPv6 are supported.
    Role filter criteria Use role filter criteria to filter users based on their roles.
    Group filter criteria Use group filter criteria to filter users based on the user group to which the user belongs.
    Location filter criteria Use location filter criteria to filter users based on the user location.
    Identity Provider Attribute filter criterias Use the Identity Provider attributes that are received from SAML response from the IdP as a filter criteria for authentication.

    Generic Criteria

    In addition to the previously listed types, there are four generic filter criteria. These criteria do not appear in your filter navigator, but you can select them while adding policy inputs to your authentication policies.

    Table 2. Generic filter criteria types
    Type Description
    Authentication Scheme Use to filter based on user's authentication scheme. This criteria is a choice type with two options:
    • User name and Password, which denotes a local login​
    • SSO, which denotes a Multi-SSO(SAML, OIDC, or Digest) based login.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Identity Provider Use to filter based on the user's identity provider. Use along with the authentication scheme criteria to have granular control over login process. This criteria is a reference to the Identity Providers [sso_properties] table.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Role-based MFA Use to filter based on the role-based MFA feature. This criteria is a boolean type filter criteria which denotes whether role-based MFA is enabled for the user.​
    User-based MFA Use to filter based on the user-based MFA feature. This criteria is a boolean type filter criteria which denotes whether user-based MFA is enabled for the user.​
    Trusted mobile app Trusted mobile app filter for enabling instance access from mobile app.