Pre authentication context

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Pre Authentication Context

    The Pre Authentication Context in ServiceNow defines how and when a policy is enforced during the login process, specifically before users see the login screen. This context allows you to control access to your instance by permitting or denying users before they enter any credentials, based on selected policy criteria.

    Show full answer Show less

    Key Features

    • Pre Login Policy Enforcement: Policies in this context run immediately when a user accesses the instance, prior to any login prompt.
    • Access Control Options: You can configure the context to either allow or deny access by default, modifying behavior by applying specific policies.
    • Policy Criteria Restrictions: Only IP Filter, Trusted Mobile App Filter, and Location Filter criteria are permitted in this context, as policies cannot evaluate user-specific information like roles or groups before login.
    • Configurable Policy Inputs: The context form lets you select the default behavior and associate an Allow or Deny policy accordingly. Policy inputs and conditions are viewable but must be edited directly within the policy records.
    • Validation and Error Handling: The system enforces strict criteria for pre authentication policies. Non-absolute conditions or unsupported filters will trigger configuration errors. It is critical to validate all inputs to avoid locking out administrators, especially regarding IP ranges matching the admin’s session.

    Practical Considerations for ServiceNow Customers

    • Use pre authentication policies to enhance security by controlling access based on network location, device trust status, or IP address before users enter credentials.
    • Carefully configure the Default Policy to either deny or allow access by default, depending on your security posture.
    • Remember that user-specific attributes cannot influence pre authentication policies, so plan policies around available filters.
    • Regularly validate your IP and location filters to prevent inadvertent lockouts of administrators or legitimate users.
    • To modify policy details, navigate directly to the associated policy record rather than attempting edits from the context form.

    The pre authentication policy context defines how and when a policy is enforced during the login process. The policy used in this context executes before your users see a login screen.

    Pre authentication context record

    Policies in the pre authentication context execute when a user first accesses the instance, before they see a login screen.

    You can use the pre authentication context to allow or deny access before your users are prompted for login credentials based on your selected policy. Because these policies evaluate before a user enters any information, those policies can’t take criteria such as a user's roles or groups into account.

    Use the fields in the Pre Authentication policy context record to define how your instance uses your policy.

    Table 1. Pre Authentication context form
    Field Description
    Name Name of the policy context. This field is static and can’t be changed.
    Description Description of the context
    Default Policy Defines the default behavior of this context when evaluating the policy. Select from the following options.
    Allow Policy
    Denies access to all users by default, and only allows access when the conditions the policy selected in the Allow Policy field evaluate to true.
    Deny Policy
    Allows access to all users by default, and only denies access when the conditions the policy selected in the Deny Policy field evaluate to true.
    Allow Policy The policy used for this context uses. This field appears only when the Default Policy field is set to Allow Policy.
    Deny Policy The policy used for this context uses. This field appears only when the Default Policy field is set to Deny Policy.
    Note:

    You can only use the IP Filter, Trusted Mobile App Filter, and Location Filter criteria in the Pre Authentication Policy Context.

    Policy inputs and conditions

    The Policy Input and Policy Conditions tabs display the inputs and conditions of the policy selected in the Allow Policy or Deny Policy field. These tabs serve as a reference, but can’t be used to change the policy inputs or conditions. To modify your policy, navigate to the policy using the reference icon (Reference icon) next to the Allow Policy or Deny Policy field.

    This example shows a pre authentication policy context record configured to deny access by default. The context uses a policy called Deny access policy. That policy has a set of inputs and conditions that are displayed in the Policy Input and Policy Condition tabs.
    Note:
    • Only IP-Based filters, Location based filters, or Trusted Mobile App filter can be used in the pre authentication policy context.
    • Whenever there's a pre authentication set with non absolute conditions or filter criteria, you're displayed with an error message stating that the policy or context can’t be configured. It's recommended to validate all the inputs for the pre authentication context before executing it to the instance.

      For example: If the administrator is outside the trusted network and configures pre authentication context with IP ranges, if the IP ranges are mismatched with the current session of the admin, the admin is blocked.

    Figure 1. Pre authentication policy context form
    Pre-authentication policy context record