Adaptive authentication

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Adaptive authentication

    Adaptive authentication in ServiceNow provides a policy-driven framework to enforce contextual authentication controls, ensuring that the right users access your instance at the right time. By evaluating authentication requests against configurable policies, it allows you to allow or deny access based on criteria such as IP address, user role, and user group. This enhances security by restricting access dynamically according to your organization's security requirements.

    Show full answer Show less

    Key Features

    • Authentication Policies: Define conditions that must be met for access to be granted. These policies evaluate inputs like IP addresses or user roles to either allow or deny login attempts.
    • Authentication Policy Contexts: Specify when policies are enforced during the login process, either before the login screen appears (pre-authentication) or after user credentials are submitted (post-authentication).
    • Filter Criteria: Serve as inputs to policy conditions, providing essential information such as user roles, IP ranges, and identity providers to validate authentication requests.
    • Authentication Properties: Control the activation of adaptive authentication, enable debugging, and customize user-facing messages when access is blocked.
    • REST API Access Policies: Leverage filter criteria to restrict access to inbound ServiceNow REST APIs, securing API endpoints based on adaptive authentication rules.
    • Domain Separation Support: Adaptive authentication policies operate effectively in domain-separated instances by applying conditions at the domain level, with global domain policies affecting all domains.
    • Custom Messaging: Customize messages displayed to users upon failed login attempts by adding entries to the system message table in the preferred language of the instance.
    • Adaptive Authentication Events: Track and review authentication events related to adaptive authentication to monitor and audit access attempts.

    Practical Benefits

    ServiceNow customers can use adaptive authentication to enhance instance security by enforcing granular access controls that adapt to user context and conditions. This ensures that only authorized users from trusted environments can access the instance or APIs. Customizable messages improve user experience by providing clear feedback in the preferred language. The framework’s integration with domain separation supports complex organizational structures, and the event logging facilitates security monitoring and compliance.

    Use the Adaptive authentication policy framework to enforce contextual authentication controls to the right users at the right time. Adaptive authentication uses authentication policies to evaluate authentication requests and then either deny or allow access to your instance based on the specified policy conditions.

    Use adaptive authentication policies and contexts to restrict the access to your instance for users and APIs based on criteria like IP address, user role, and user group. You can configure the built-in authentication policies according to your security requirements.

    For example, an administrator can configure the Allow Access Policy to allow logins from users only within a trusted range of IP addresses and who are members of a specific role. When assigned to the Post-authentication context, the access policy denies access from untrusted IP addresses.

    To set a custom message in the language of your instance you need to add key, value pair in sys_ui_message.list and update the sys_ui_message record. When you login with an incorrect password, the custom message in the preferred language is displayed.

    Adaptive authentication flow

    Adaptive authentication components

    Authentication policies

    Authentication policies evaluate authentication requests based on the specified policy conditions and either allow or deny access depending on the output of policy conditions evaluation. For example, access is allowed only if all the policy conditions specified in Allow Access Policy evaluate to true.

    Authentication policies use information provided by filter criteria to compare against the policy's conditions to determine whether to grant access to the instance. For example, a filter criteria provides a user's IP address, and a policy condition determines whether this address is within the specific range before granting access. Learn more about authentication policies in Authentication policies.

    Authentication policy contexts
    Authentication policy contexts define how and when policies are enforced during the login process. The pre-authentication context executes before the user is shown a login screen. The post-authentication context executes after the user enters their credentials. To use a policy, it must be assigned to a policy context. For details on these contexts, see Authentication policy contexts.
    Filter Criteria
    Filter criteria (also called policy inputs) are used as inputs for policy conditions. Policy conditions use these inputs to verify and meet the requirements of authentication requests. These inputs provide information like user role, IP range, and identity provider. For more detail on filter criteria, see Filter criteria.
    Authentication properties
    Use authentication properties to control whether adaptive authentication is active on your instance. You can also use properties to enabled debugging, and define the messaging users see when access is blocked. For details on these properties, see Configure adaptive authentication properties.

    REST API access policies

    You can use the filter criteria of adaptive authentication framework to restrict access to inbound ServiceNow REST APIs. For more information, see REST API access policies.

    Domain separation and adaptive authentication

    Adaptive authentication is supported on domain separated instances on the authentication policy condition level. Policy conditions affect the domain in the records Domain [sys_domain] field. Policy conditions in the global domain affect all domains.

    Adaptive Authentication Events

    You can use the adaptive authentication events table to know about the events that have occurred specific to the adaptive authentication feature. For more information, see Adaptive Authentication Events.