Establish high assurance session for SSO login using ServiceNow's continuous authentication.

A high assurance session is a session that requires a user to verify their identity and authenticate with a specific identity or Identity Providers for a specific time frame.

ServiceNow's continuous authentication (CA) feature enables you to create policies that creates a high assurance session to the users who access Personally Identifiable Information (PII), sensitive data, or restrict the access to explicit data that you want to protect.

When the user re-authenticates, there's a high assurance session that is established, which provides the ability for the users to access the data protected by the CA administrator based on the CA policy configuration.

You can create CA policies to verify the users identity and authentication the users to access the data that you've protected. You can configure the CA policy and provide the Identity Providers details in the Identity Providers record to establish high assurance session.

The users who are performing SSO based login (SAML or OIDC) and whenever there is an attempt to access the protected data, re-authentication screen is prompted with the same SSO that was used by the user during the initial login.

After successful SSO authentication, the protected data is displayed to the users for a certain time frame. You can configure the properties to change the time limit based on your requirement. To know more, see High Assurance session with Continuous Authentication.

Performing re-authentication with SSO login (SAML or OIDC), creates a high assurance session establishing a secure and trusted connection with the identities (users) who are accessing the protected data.

An high assurance session established for the user is limited to the High Assurance session length (glide.zta.high_assurance.session.timeout) system property. If the high assurance session time exceeds the property length, the user is prompted for re-authentication or step up authentication.