Authentication policy contexts

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Authentication Policy Contexts

    Authentication policy contexts are essential for determining how and when authentication policies are enforced in your ServiceNow instance. These contexts help manage the login process and define the conditions under which access is granted or denied based on user interactions.

    Show full answer Show less

    Key Features

    • Pre-authentication Context: Executes before the login screen appears, allowing administrators to permit or restrict access based on defined policies without user role consideration.
    • Post-authentication Context: Activates after user credential submission, enabling policies to use user information for access decisions.
    • MFA Context: Controls the enforcement of Multi-Factor Authentication during the login process based on assigned policies.
    • Account Recovery Context: Facilitates recovery activities for issues like SSO misconfigurations, requiring at least one registered admin account for activation.
    • Session Validation Context: Works with the Adaptive authentication policy framework to evaluate session requests and determine access based on policy conditions.
    • Default Policy: Allows you to set a default response policy, which varies based on the context being used.

    Key Outcomes

    Implementing authentication policy contexts enables your organization to effectively manage user access, enhance security via MFA, streamline account recovery processes, and ensure appropriate session validation. This structured approach to authentication enhances the overall security posture of your ServiceNow instance while providing a tailored user experience.

    Use authentication policy contexts to determine how and when your instance enforces authentication policies.

    Authentication contexts define how and when a policy is enforced during the login process. Assign a policy to a policy context to define inputs and conditions regarding how your instance handles authentication.

    Pre-authentication context

    Policies in the pre-authorization context execute when a user first accesses the instance, before the they see a login screen. You can use the pre-authorization context to allow or deny access before your users are prompted for login credentials based on your selected policy. Because these policies evaluate before a user enters any information, those policies cannot take criteria such as a user's roles or groups into account.

    For more detail on this context, see Pre authentication context.

    Post-authentication context

    Policies in the post-authorization context execute after your users enter their credentials or SSO response. Your instance allows or denies access based on your selected policy. Because your users have identified themselves via their login credentials, the policy can use user information to determine whether to grant access.

    For more detail on this context, see Post-authentication context.

    MFA (Multi-Factor Authentication) context

    Policies assigned to the MFA context define whether to enforce MFA during the login process. Whether your instance enforces MFA is determined by the configuration of policies in this context. For more detail on this context, see MFA (Multi-Factor Authentication) context.

    Account recovery context

    Administrators can configure account recovery (ACR) to perform recovery activities such as addressing SSO misconfiguration or expired certificates. To use account recovery, you must register at least one admin account as an account recovery user. Single sign-on can’t be activated on your instance until there is at least one account configured. For more information about the context that can be set, see Account recovery context.

    Session Validation context

    The Session Validation context can be used with the Adaptive authentication policy framework. The framework uses authentication policies to evaluate authentication requests (session) and then either deny or allow access based on policy conditions. For more information, see Session Validation Context.

    Default policy

    Within the policy context, you can define a default policy in the Default Policy field. This default defines how your instance responds to the result of your policy. The available default policy options are determined by which context you are using. Detail on these options can be found in the docs describing these individual contexts.