Filter criteria

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Filter Criteria

    Filter criteria, also known as policy inputs, are essential for verifying and fulfilling authentication requests. They allow you to supply specific information to authentication policies, such as user IP addresses, roles, or groups. These criteria can be added in the Policy conditions section of your policies and can utilize multiple types to evaluate requests effectively.

    Show full answer Show less

    Key Features

    • IP Filter Criteria: Filters users based on their IP addresses, supporting both IPv4 and IPv6.
    • Role Filter Criteria: Filters users according to their assigned roles.
    • Group Filter Criteria: Filters users based on their group membership.
    • Location Filter Criteria: Filters users based on their geographical location.
    • Identity Provider Attribute Filter Criteria: Utilizes attributes from the SAML response from the Identity Provider for authentication filtering.
    • Generic Filter Criteria: Includes four additional criteria not listed in the filter navigator but available when configuring authentication policies:
      • Authentication Scheme: Filters based on the user's authentication method (local login or Multi-SSO).
      • Identity Provider: Filters based on the user's identity provider, allowing for granular login control.
      • Role-based MFA: A boolean filter indicating if role-based Multi-Factor Authentication (MFA) is enabled.
      • User-based MFA: A boolean filter indicating if user-based MFA is enabled.
      • Trusted Mobile App: Enables access from a trusted mobile application.

    Key Outcomes

    By utilizing these filter criteria, ServiceNow customers can create robust and flexible authentication policies that enhance security and ensure that only authorized users gain access to resources based on defined conditions. This capability is crucial for maintaining the integrity of user authentication processes while providing a tailored experience based on user context.

    Filter criteria (also called policy inputs) are used as inputs for policy conditions to verify and meet the requirements of an authentication request.

    Use filter criteria to supply information authentication policies such as a user's IP address, roles, or groups. Add these criteria in the Policy conditions section of your policies.

    There are seven types of filter criteria used in adaptive authentication. Your authentication policies can use one or more of these criteria to evaluate authentication requests.

    Note:
    Location filter and Identity Provider filter are available with Zero Trust Access feature. For more information, see Zero Trust Access (ZTA).
    Table 1. Filter criteria types
    Type Description
    IP filter criteria Use IP filter criteria to filter users based on the user's IP addresses. Both IPv4 and IPv6 are supported.
    Role filter criteria Use role filter criteria to filter users based on their roles.
    Group filter criteria Use group filter criteria to filter users based on the user group to which the user belongs.
    Location filter criteria Use location filter criteria to filter users based on the user location.
    Identity Provider Attribute filter criterias Use the Identity Provider attributes that are received from SAML response from the IdP as a filter criteria for authentication.

    Generic Criteria

    In addition to the previously listed types, there are four generic filter criteria. These criteria do not appear in your filter navigator, but you can select them while adding policy inputs to your authentication policies.

    Table 2. Generic filter criteria types
    Type Description
    Authentication Scheme Use to filter based on user's authentication scheme. This criteria is a choice type with two options:
    • User name and Password, which denotes a local login​
    • SSO, which denotes a Multi-SSO(SAML, OIDC, or Digest) based login.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Identity Provider Use to filter based on the user's identity provider. Use along with the authentication scheme criteria to have granular control over login process. This criteria is a reference to the Identity Providers [sso_properties] table.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Role-based MFA Use to filter based on the role-based MFA feature. This criteria is a boolean type filter criteria which denotes whether role-based MFA is enabled for the user.​
    User-based MFA Use to filter based on the user-based MFA feature. This criteria is a boolean type filter criteria which denotes whether user-based MFA is enabled for the user.​
    Trusted mobile app Trusted mobile app filter for enabling instance access from mobile app.