Adaptive authentication

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Adaptive authentication

    Adaptive authentication in ServiceNow Zurich release enables contextual authentication controls to secure access to your instance. It evaluates authentication requests against defined policies and conditions to allow or deny access based on factors such as IP address, user role, and user group. This framework helps enforce security dynamically by applying the right authentication controls to the right users at the right time.

    Show full answer Show less

    Key Features

    • Authentication Policies: Define rules that evaluate authentication requests. For example, allowing access only if the user’s IP address is within a trusted range and belongs to a specific role.
    • Authentication Policy Contexts: Determine when policies are enforced during login — either before login (pre-authentication) or after credentials are entered (post-authentication).
    • Filter Criteria: Provide inputs such as user IP, role, or identity provider used by policy conditions to decide on access.
    • Authentication Properties: Configure adaptive authentication settings including enabling/disabling the feature, debugging, and customizing user messages when access is blocked.
    • REST API Access Policies: Restrict inbound REST API access based on adaptive authentication filter criteria, enhancing API security.
    • Domain Separation Support: Adaptive authentication respects domain separation, with policy conditions applied at the domain record level or globally.
    • Customizable Messaging: Allows setting custom access denial messages in the instance’s language via sysuimessage records.
    • Adaptive Authentication Events: Provides event visibility specific to adaptive authentication actions for monitoring and troubleshooting.

    Practical Benefits for ServiceNow Customers

    By implementing adaptive authentication, you can enforce precise access controls tailored to your organizational security policies. This reduces unauthorized access risks by considering contextual details like IP address and user role. Custom policies allow flexible, granular control over user and API access. Supporting domain separation ensures security policies are consistent across different business units or domains within your instance. Additionally, customizable user messages improve communication when access is blocked, enhancing user experience.

    Overall, adaptive authentication helps maintain a strong security posture by dynamically applying authentication rules that reflect your security requirements and operational context.

    Use the Adaptive authentication policy framework to enforce contextual authentication controls to the right users at the right time. Adaptive authentication uses authentication policies to evaluate authentication requests and then either deny or allow access to your instance based on the specified policy conditions.

    Use adaptive authentication policies and contexts to restrict the access to your instance for users and APIs based on criteria like IP address, user role, and user group. You can configure the built-in authentication policies according to your security requirements.

    For example, an administrator can configure the Allow Access Policy to allow logins from users only within a trusted range of IP addresses and who are members of a specific role. When assigned to the Post-authentication context, the access policy denies access from untrusted IP addresses.

    To set a custom message in the language of your instance you need to add key, value pair in sys_ui_message.list and update the sys_ui_message record. When you login with an incorrect password, the custom message in the preferred language is displayed.

    Adaptive authentication flow

    Adaptive authentication components

    Authentication policies

    Authentication policies evaluate authentication requests based on the specified policy conditions and either allow or deny access depending on the output of policy conditions evaluation. For example, access is allowed only if all the policy conditions specified in Allow Access Policy evaluate to true.

    Authentication policies use information provided by filter criteria to compare against the policy's conditions to determine whether to grant access to the instance. For example, a filter criteria provides a user's IP address, and a policy condition determines whether this address is within the specific range before granting access. Learn more about authentication policies in Authentication policies.

    Authentication policy contexts
    Authentication policy contexts define how and when policies are enforced during the login process. The pre-authentication context executes before the user is shown a login screen. The post-authentication context executes after the user enters their credentials. To use a policy, it must be assigned to a policy context. For details on these contexts, see Authentication policy contexts.
    Filter Criteria
    Filter criteria (also called policy inputs) are used as inputs for policy conditions. Policy conditions use these inputs to verify and meet the requirements of authentication requests. These inputs provide information like user role, IP range, and identity provider. For more detail on filter criteria, see Filter criteria.
    Authentication properties
    Use authentication properties to control whether adaptive authentication is active on your instance. You can also use properties to enabled debugging, and define the messaging users see when access is blocked. For details on these properties, see Configure adaptive authentication properties.

    REST API access policies

    You can use the filter criteria of adaptive authentication framework to restrict access to inbound ServiceNow REST APIs. For more information, see REST API access policies.

    Domain separation and adaptive authentication

    Adaptive authentication is supported on domain separated instances on the authentication policy condition level. Policy conditions affect the domain in the records Domain [sys_domain] field. Policy conditions in the global domain affect all domains.

    Adaptive Authentication Events

    You can use the adaptive authentication events table to know about the events that have occurred specific to the adaptive authentication feature. For more information, see Adaptive Authentication Events.