Adaptive authentication

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Adaptive Authentication

    The Adaptive Authentication framework enables contextual authentication controls, allowing access to your ServiceNow instance based on specific criteria like IP address, user role, and user group. This framework enhances security by evaluating authentication requests through policies that either allow or deny access based on defined conditions.

    Show full answer Show less

    Key Features

    • Authentication Policies: These evaluate requests and determine access based on conditions. For instance, an Allow Access Policy can restrict logins to trusted IP addresses associated with specific user roles.
    • Authentication Policy Contexts: Policies are enforced during different stages of the login process: pre-authentication (before login screen) and post-authentication (after credential entry).
    • Filter Criteria: Inputs like user role and IP range are used to verify authentication request requirements.
    • Authentication Properties: Control the activation of adaptive authentication, enable debugging, and manage user messaging for blocked access.
    • REST API Access Policies: Restrict access to inbound ServiceNow REST APIs using the adaptive authentication framework.
    • Domain Separation Support: Adaptive authentication policies can be applied to domain-separated instances, affecting access at the domain level.
    • Adaptive Authentication Events: Track events related to adaptive authentication for better monitoring and management.

    Key Outcomes

    By implementing adaptive authentication, ServiceNow customers can ensure that only authorized users gain access to their instance, thereby enhancing security and minimizing unauthorized access. Custom messages can also be configured to improve user experience in the event of login failures.

    Use the Adaptive authentication policy framework to enforce contextual authentication controls to the right users at the right time. Adaptive authentication uses authentication policies to evaluate authentication requests and then either deny or allow access to your instance based on the specified policy conditions.

    Use adaptive authentication policies and contexts to restrict the access to your instance for users and APIs based on criteria like IP address, user role, and user group. You can configure the built-in authentication policies according to your security requirements.

    For example, an administrator can configure the Allow Access Policy to allow logins from users only within a trusted range of IP addresses and who are members of a specific role. When assigned to the Post-authentication context, the access policy denies access from untrusted IP addresses.

    To set a custom message in the language of your instance you need to add key, value pair in sys_ui_message.list and update the sys_ui_message record. When you login with an incorrect password, the custom message in the preferred language is displayed.

    Adaptive authentication flow

    Adaptive authentication components

    Authentication policies

    Authentication policies evaluate authentication requests based on the specified policy conditions and either allow or deny access depending on the output of policy conditions evaluation. For example, access is allowed only if all the policy conditions specified in Allow Access Policy evaluate to true.

    Authentication policies use information provided by filter criteria to compare against the policy's conditions to determine whether to grant access to the instance. For example, a filter criteria provides a user's IP address, and a policy condition determines whether this address is within the specific range before granting access. Learn more about authentication policies in Authentication policies.

    Authentication policy contexts
    Authentication policy contexts define how and when policies are enforced during the login process. The pre-authentication context executes before the user is shown a login screen. The post-authentication context executes after the user enters their credentials. To use a policy, it must be assigned to a policy context. For details on these contexts, see Authentication policy contexts.
    Filter Criteria
    Filter criteria (also called policy inputs) are used as inputs for policy conditions. Policy conditions use these inputs to verify and meet the requirements of authentication requests. These inputs provide information like user role, IP range, and identity provider. For more detail on filter criteria, see Filter criteria.
    Authentication properties
    Use authentication properties to control whether adaptive authentication is active on your instance. You can also use properties to enabled debugging, and define the messaging users see when access is blocked. For details on these properties, see Configure adaptive authentication properties.

    REST API access policies

    You can use the filter criteria of adaptive authentication framework to restrict access to inbound ServiceNow REST APIs. For more information, see REST API access policies.

    Domain separation and adaptive authentication

    Adaptive authentication is supported on domain separated instances on the authentication policy condition level. Policy conditions affect the domain in the records Domain [sys_domain] field. Policy conditions in the global domain affect all domains.

    Adaptive Authentication Events

    You can use the adaptive authentication events table to know about the events that have occurred specific to the adaptive authentication feature. For more information, see Adaptive authentication events.