Authentication policy contexts

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Authentication Policy Contexts

    Authentication policy contexts enable you to manage how and when authentication policies are enforced within your ServiceNow instance. These contexts determine the conditions under which users can access the system based on their login process.

    Show full answer Show less

    Key Features

    • Pre-authentication Context: Executes policies before users see the login screen, allowing or denying access before credential entry. Note that it cannot consider user roles or groups.
    • Post-authentication Context: Executes after users enter their credentials, allowing policies to utilize user information to grant or deny access.
    • MFA Context: Determines if Multi-Factor Authentication is enforced during login based on the configuration of assigned policies.
    • Account Recovery Context: Allows for recovery operations like fixing SSO misconfigurations. Requires at least one admin account to be registered as an account recovery user.
    • Session Validation Context: Works with the Adaptive authentication policy framework to evaluate authentication requests and enforce access based on defined conditions.
    • Default Policy: A default policy can be set within each context to define the instance's response to policy results, with options varying by context.

    Key Outcomes

    Utilizing authentication policy contexts allows you to enhance security by controlling access based on specific criteria and user information during the login process. This tailored approach ensures that only authorized users can access your ServiceNow instance, improving overall security and user experience.

    Use authentication policy contexts to determine how and when your instance enforces authentication policies.

    Authentication contexts define how and when a policy is enforced during the login process. Assign a policy to a policy context to define inputs and conditions regarding how your instance handles authentication.

    Pre-authentication context

    Policies in the pre-authorization context execute when a user first accesses the instance, before the they see a login screen. You can use the pre-authorization context to allow or deny access before your users are prompted for login credentials based on your selected policy. Because these policies evaluate before a user enters any information, those policies cannot take criteria such as a user's roles or groups into account.

    For more detail on this context, see Pre authentication context.

    Post-authentication context

    Policies in the post-authorization context execute after your users enter their credentials or SSO response. Your instance allows or denies access based on your selected policy. Because your users have identified themselves via their login credentials, the policy can use user information to determine whether to grant access.

    For more detail on this context, see Post-authentication context.

    MFA (Multi-Factor Authentication) context

    Policies assigned to the MFA context define whether to enforce MFA during the login process. Whether your instance enforces MFA is determined by the configuration of policies in this context. For more detail on this context, see Multi-factor Authentication context.

    Account recovery context

    Administrators can configure account recovery (ACR) to perform recovery activities such as addressing SSO misconfiguration or expired certificates. To use account recovery, you must register at least one admin account as an account recovery user. Single sign-on can’t be activated on your instance until there is at least one account configured. For more information about the context that can be set, see Account recovery context.

    Session Validation context

    The Session Validation context can be used with the Adaptive authentication policy framework. The framework uses authentication policies to evaluate authentication requests (session) and then either deny or allow access based on policy conditions. For more information, see Session validation context.

    Default policy

    Within the policy context, you can define a default policy in the Default Policy field. This default defines how your instance responds to the result of your policy. The available default policy options are determined by which context you are using. Detail on these options can be found in the docs describing these individual contexts.