Adaptive authentication

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Adaptive Authentication

    Adaptive authentication provides a framework for enforcing contextual authentication controls, allowing access to ServiceNow instances based on specific user and API criteria. This authentication mechanism evaluates requests using policies that can either permit or deny access depending on defined conditions such as IP address, user role, and user group.

    Show full answer Show less

    Key Features

    • Authentication Policies: These policies assess authentication requests and determine access based on set conditions. For example, the Allow Access Policy can restrict logins to users from trusted IP addresses and specific roles.
    • Policy Contexts: Policies can be applied in two contexts: pre-authentication (before login) and post-authentication (after credentials entry), defining when the policies take effect.
    • Filter Criteria: Also known as policy inputs, these criteria provide essential information like user roles and IP ranges to evaluate authentication requests.
    • Authentication Properties: Control the activation of adaptive authentication and manage user messaging for blocked access.
    • REST API Access Policies: Utilize filter criteria to regulate access to ServiceNow’s inbound REST APIs.
    • Domain Separation: Adaptive authentication supports domain-separated instances, allowing policies to be applied effectively at the domain level.

    Key Outcomes

    Implementing adaptive authentication enhances security by ensuring that access is granted only to the right users under the right conditions. Users can expect a more secure login process that adapts based on their context, helping to protect sensitive information and resources within their ServiceNow instance.

    Use the Adaptive authentication policy framework to enforce contextual authentication controls to the right users at the right time. Adaptive authentication uses authentication policies to evaluate authentication requests and then either deny or allow access to your instance based on the specified policy conditions.

    Use adaptive authentication policies and contexts to restrict the access to your instance for users and APIs based on criteria like IP address, user role, and user group. You can configure the built-in authentication policies according to your security requirements.

    For example, an administrator can configure the Allow Access Policy to allow logins from users only within a trusted range of IP addresses and who are members of a specific role. When assigned to the Post-authentication context, the access policy denies access from untrusted IP addresses.

    To set a custom message in the language of your instance you need to add key, value pair in sys_ui_message.list and update the sys_ui_message record. When you login with an incorrect password, the custom message in the preferred language is displayed.

    Adaptive authentication flow

    Adaptive authentication components

    Authentication policies

    Authentication policies evaluate authentication requests based on the specified policy conditions and either allow or deny access depending on the output of policy conditions evaluation. For example, access is allowed only if all the policy conditions specified in Allow Access Policy evaluate to true.

    Authentication policies use information provided by filter criteria to compare against the policy's conditions to determine whether to grant access to the instance. For example, a filter criteria provides a user's IP address, and a policy condition determines whether this address is within the specific range before granting access. Learn more about authentication policies in Authentication policies.

    Authentication policy contexts
    Authentication policy contexts define how and when policies are enforced during the login process. The pre-authentication context executes before the user is shown a login screen. The post-authentication context executes after the user enters their credentials. To use a policy, it must be assigned to a policy context. For details on these contexts, see Authentication policy contexts.
    Filter Criteria
    Filter criteria (also called policy inputs) are used as inputs for policy conditions. Policy conditions use these inputs to verify and meet the requirements of authentication requests. These inputs provide information like user role, IP range, and identity provider. For more detail on filter criteria, see Filter criteria.
    Authentication properties
    Use authentication properties to control whether adaptive authentication is active on your instance. You can also use properties to enabled debugging, and define the messaging users see when access is blocked. For details on these properties, see Configure adaptive authentication properties.

    REST API access policies

    You can use the filter criteria of adaptive authentication framework to restrict access to inbound ServiceNow REST APIs. For more information, see REST API access policies.

    Domain separation and adaptive authentication

    Adaptive authentication is supported on domain separated instances on the authentication policy condition level. Policy conditions affect the domain in the records Domain [sys_domain] field. Policy conditions in the global domain affect all domains.