Tutorial: Configure Continuous Authentication for a Data Class

  • Release version: Australia
  • Updated March 12, 2026
  • 2 minutes to read

    • Procedure that describes end to end configuration of continuous authentication policy for a data class and the impacts to the users due to the configuration changes.

    Before you begin

    • Role required: ca_admin
      Note:
      You must elevate your role to ca_admin.
    • You must install the Zero Trust - Continuous Authentication (com.snc.zero_trust_continuous_authentication) for opting CA which requires a license.
    • Enable the Continuous Authentication (glide.zta.continuous_authentication.enabled) system property. For more information, see System properties.
    • Activate the Integration - Multiple Provider Single Sign-On Installer (com.snc.integration.sso.multi.installer) plugin.
    • Understand the pre-work that is required before configuring CA for the instance. For more information, see Pre-work for Continuous Authentication.

    Procedure

    1. Navigate to All > Continuous Authentication.
    2. Select Policies tab.
    3. Select New.
    4. On the form, fill the fields:
      Table 1. Continuous Authentication
      Field Description
      Policy Name Name of the policy
      Description Generic description to the policy
      Select the resources Select the Data Class. You can create data class and use it for CA policy configuration.
      Note:
      To know more about how to create data class, see Data Classification.
      CA Policy for a Data Class
      Note:
      You can use either of the login methods for the CA policy:
      • SSO based login: Specify the fields in the Continuous Authentication tab within the Identity Provider record and the set the Identity Provider record as Active. Continuous Authentication - tab information

        To know more about Identity Providers configuration, see OIDC and SAML.

      • Non-SSO based login: By default, if there are no Identity Provider with Continuous Authentication configuration, Multi-factor Authentication (MFA) is used as a login method. Make sure the MFA properties are Active and configured based on your requirement. To know more about MFA properties, see Multi-factor Authentication system properties.
    5. Select Save & Activate.

    Result

    Based on the details provided for the configuration, CA policy is created with Access Control List (ACLs) for the selected table or data class. You can view the details of the ACLs that are created by selecting the View ACLs on the policy page.

    ACL Details for Data Class CA policy

    The CA policy created, prompts the user for authentication to data class (in this case data class set for the table Account Recovery) that you've protected using the policy. The users can select Authenticate option.

    CA Policy enforced for data class

    Perform the authentication based on the following:

    • User who had performed local login to log in to the instance, is displayed with platform MFA for step-up authentication.
      MFA-SMS

    • User who had performed SSO login (OIDC or SAML) to log in to the instance is displayed with the SSO for re-authentication.
      SSO - Screen

    After successful authentication the table with the data class is displayed.

    ACR table after successful login

    An high assurance session is now established for the user. High assurance session is limited to the High Assurance session length (glide.zta.high_assurance.session.timeout) system property. If the high assurance session time exceeds the property length, the user is prompted for re-authentication or step up authentication.