Tutorial: Configure Continuous Authentication for a Table

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Procedure that describes end to end configuration of continuous authentication policy for a table and the impacts to the users due to the configuration changes.

    Before you begin

    • Role required: ca_admin
      Note:
      You must elevate your role to ca_admin.
    • You must install the Zero Trust - Continuous Authentication (com.snc.zero_trust_continuous_authentication) for opting CA which requires a license.
    • Enable the Continuous Authentication (glide.zta.continuous_authentication.enabled) system property. For more information, see System properties.
    • Activate the Integration - Multiple Provider Single Sign-On Installer (com.snc.integration.sso.multi.installer) plugin.
    • Understand the pre-work that is required before configuring CA for the instance. For more information, see Pre-work for Continuous Authentication.

    Procedure

    1. Navigate to All > Continuous Authentication.
    2. Select Policies tab.
    3. Select New.
    4. On the form, fill the fields:
      Table 1. Continuous Authentication
      Field Description
      Policy Name Name of the policy
      Description Generic description to the policy
      Select the resources Select the Table.
      Note:
      • In this example, Incident table is selected. You can select as many as tables based on your requirement.
      • Table selected with metadata displays an error. You need to check if you actually want to restrict access to the metadata table, since it can impact configuration access to your users.
      • The sys_properties, sys_continuous_auth_policy, sys_user tables are excluded for CA and cannot be added to the CA policy configuration.
      CA Policy record
      Note:
      You can use either of the login methods for the CA policy:
      • SSO based login: Specify the fields in the Continuous Authentication tab within the Identity Provider record and the set the Identity Provider record as Active. Continuous Authentication - tab information

        To know more about Identity Providers configuration, see OIDC and SAML.

      • Non-SSO based login: By default, if there are no Identity Provider with Continuous Authentication configuration, Multi-factor Authentication (MFA) is used as a login method. Make sure the MFA properties are Active and configured based on your requirement. To know more about MFA properties, see Multi-factor Authentication system properties.
    5. Select Save & Activate.

    Result

    Based on the details provided for the configuration, CA policy is created with Access Control List (ACLs) for the selected table or data class. You can view the details of the ACLs that are created by selecting the View ACLs on the policy page.

    CA ACL details

    The CA policy created, prompts the user for authentication to access table (in this case Incident table) that you've protected using the policy. The users can select Authenticate option.

    CA Policy enforced

    Perform the authentication based on the following:

    • User who had performed local login to log in to the instance, is displayed with platform MFA for step-up authentication.
      MFA-SMS

    • User who had performed SSO login (OIDC or SAML) to log in to the instance is displayed with the SSO for re-authentication.
      SSO - Screen

    After successful authentication the table is displayed.

    Incident table after successful login

    An high assurance session is now established for the user. High assurance session is limited to the High Assurance session length (glide.zta.high_assurance.session.timeout) system property. If the high assurance session time exceeds the property length, the user is prompted for re-authentication or step up authentication.