Account recovery (ACR)

  • Release version: Zurich
  • Updated July 31, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Account recovery (ACR)

    Account Recovery (ACR) in ServiceNow Zurich release enables administrators to bypass Single Sign-On (SSO) login issues, such as misconfigurations or expired certificates, by providing a secure alternative login method. When ACR is enabled, local interactive logins (username and password) are disabled if SSO is active, ensuring controlled administrator access during recovery scenarios.

    Show full answer Show less

    Key Features

    • Bypass SSO: Administrators can log in without SSO to resolve SSO-related problems using an account configured specifically for recovery.
    • Self-Service Recovery: ACR flows empower administrators to handle recovery tasks independently when issues like expired certificates or SSO misconfiguration arise.
    • Enhanced Security: ACR reduces unauthorized access risk by enforcing strong authentication controls and limiting local login options.
    • Integration: Account Recovery is included with the Multiple Provider Single Sign-On Installer plugin (com.snc.integration.sso.multi.installer) and is enabled by default for fresh instances.

    Setup Requirements

    Fresh Instances

    • Activate the Multi-SSO plugin.
    • ACR is enabled by default; confirm the property glide.sso.acr.enabled is true.
    • Before enabling SSO (glide.authenticate.multisso.enabled), enroll at least one administrator as an ACR user.
    • Administrators must set a local password and register Multi-Factor Authentication (MFA) before enrolling as ACR users.
    • Disabling ACR is required to allow local username/password login while SSO is enabled.

    Upgraded Instances

    • Activate the Multi-SSO plugin and explicitly enable ACR by setting glide.sso.acr.enabled to true.
    • Enroll administrators as ACR users with local passwords and MFA registration before enabling SSO.
    • Note that upgrading instances with existing SSO will maintain SSO functionality even if no ACR users are configured, but configuring ACR users is recommended.

    Configuring Account Recovery Users

    At least one administrator must be registered as an account recovery user before activating SSO. This ensures that recovery access is always possible. The registration process includes setting a local password and MFA. Without an account recovery user, SSO activation is blocked.

    Account Recovery Configuration and Policy

    The ACR feature is controlled via system properties, allowing customization of recovery settings. Once ACR is enabled and recovery users registered, local logins are restricted under the SSO - ACR Context authentication policy context, aligning with adaptive authentication principles to maintain security while enabling recovery access.

    Administrators can configure account recovery (ACR) to perform recovery activities such as addressing SSO misconfiguration or expired certificates.

    Note:
    Enabling ACR disables the local interactive log-ins (username or password based) when SSO is enabled to your instances.

    ACR provides the following capabilities:

    • Bypass your single sign-on (SSO) login to address issues with SSO configuration as an administrator.
    • Log in with using SSO to perform tasks with an administrator account configured as an account recovery.
    • ACR flows enable the administrators to use self-service capabilities to address account recovery when there’s a need for recovery, for example, SSO miss-configuration, expired certificates.
    • Reduce unauthorized access to the instance and provide a strong foundation to use ACR outside SSO use cases.

    Fresh Instance

    For a fresh instance to use ACR, you must do the following:

    • Activate Mutli-SSO plugin (com.snc.integration.sso.multi.installer)
    • Enable ACR (glide.sso.acr.enabled) - This is enabled by default in case of a fresh instance.
    • Before enabling SSO property (glide.authenticate.multisso.enabled), the administrator must enroll as an ACR user.
      Note:
      Setting this property to false will not disable multi-provider SSO if Account Recovery (ACR) is also enabled on the instance. To log in with a username and password ACR must also be disabled using the glide.sso.acr.enabled property. For details on this property see Account recovery properties.
    • Administrator must set a password for local login and register MFA before enrolling as an ACR user.

    Upgraded Instance

    For an upgraded instance to use ACR, you must do the following:

    • Activate Mutli-SSO plugin (com.snc.integration.sso.multi.installer)
    • Enable ACR (glide.sso.acr.enabled)
      Note:
      In case of upgraded instance, the administrator must enable ACR.
    • Before enabling SSO property (glide.authenticate.multisso.enabled), the administrator must enroll as an ACR user.
    • Administrator must set a password for local login and register MFA before enrolling as an ACR user.

    Configure account recovery users

    To use account recovery, you must register at least one admin account as an account recovery user. Single sign-on can’t be activated on your instance until there is at least one account configured. For details on this process, see Configure an account recovery user from the Account Recovery Properties page.
    Note:
    If you’re upgrading an instance already using single sign-on to Rome or a later release, single-sign on will continue to function without a recovery user configured.

    Account recovery configuration

    The account recovery feature is included with the Integration - Multiple Provider Single Sign-On Installer (com.snc.integration.sso.multi.installer) plugins. The feature is enabled by default. You can change this and other account recovery settings using system properties. For details on these properties, see Account recovery properties.

    Account recovery policy context

    After you’ve registered an account recovery user and enabled single sign-on (SSO), your instance restricts all local logins. This restriction is defined in the SSO - ACR Context auth policy context. For more information about the context, see Account recovery context.

    For details on how authentication policies and policy contexts, and how they work on your instance, see Adaptive authentication.