Filter criteria

  • Release version: Washingtondc
  • Updated February 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Filter Criteria

    Filter criteria, or policy inputs, are essential for verifying and meeting the requirements of authentication requests within ServiceNow. They allow for the inclusion of specific user information, such as IP addresses, roles, or groups, in authentication policies. Filter criteria can be added in the Policy conditions section of authentication policies to enhance security during login processes.

    Show full answer Show less

    Key Features

    • IP Filter Criteria: Filters users based on their IP addresses, supporting both IPv4 and IPv6.
    • Role Filter Criteria: Filters users based on their assigned roles.
    • Group Filter Criteria: Filters users according to their user group memberships.
    • Location Filter Criteria: Filters users based on their geographical location.
    • Identity Provider Attribute Filter: Uses attributes from the SAML response of the Identity Provider (IdP) for authentication filtering.
    • Generic Filter Criteria: Includes criteria not visible in the filter navigator but usable in policy inputs:
      • Authentication Scheme: Filters based on the user's authentication method (local login vs. Multi-SSO).
      • Identity Provider: Filters based on the user's identity provider for greater control.
      • Role-based MFA: Indicates whether role-based multi-factor authentication (MFA) is enabled for the user.
      • User-based MFA: Indicates whether user-based MFA is enabled for the user.
      • Trusted Mobile App: Enables instance access from a mobile application.

    Key Outcomes

    By effectively utilizing filter criteria in authentication policies, ServiceNow customers can enhance the security of their systems. This enables precise control over who can access the platform based on various attributes, leading to a more secure and tailored authentication process. The availability of multiple criteria types allows for flexibility in meeting organizational security needs.

    Filter criteria (also called policy inputs) are used as inputs for policy conditions to verify and meet the requirements of an authentication request.

    Use filter criteria to supply information authentication policies such as a user's IP address, roles, or groups. Add these criteria in the Policy conditions section of your policies.

    There are seven types of filter criteria used in adaptive authentication. Your authentication policies can use one or more of these criteria to evaluate authentication requests.

    Note:
    Location filter and Identity Provider filter are available with Zero Trust Access feature. For more information, see Zero Trust Access.
    Table 1. Filter criteria types
    Type Description
    IP filter criteria Use IP filter criteria to filter users based on the user's IP addresses. Both IPv4 and IPv6 are supported.
    Role filter criteria Use role filter criteria to filter users based on their roles.
    Group filter criteria Use group filter criteria to filter users based on the user group to which the user belongs.
    Location filter criteria Use location filter criteria to filter users based on the user location.
    Identity Provider Attribute filter criterias Use the Identity Provider attributes that are received from SAML response from the IdP as a filter criteria for authentication.

    Generic Criteria

    In addition to the previously listed types, there are four generic filter criteria. These criteria do not appear in your filter navigator, but you can select them while adding policy inputs to your authentication policies.

    Table 2. Generic filter criteria types
    Type Description
    Authentication Scheme Use to filter based on user's authentication scheme. This criteria is a choice type with two options:
    • User name and Password, which denotes a local login​
    • SSO, which denotes a Multi-SSO(SAML, OIDC, or Digest) based login.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Identity Provider Use to filter based on the user's identity provider. Use along with the authentication scheme criteria to have granular control over login process. This criteria is a reference to the Identity Providers [sso_properties] table.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Role-based MFA Use to filter based on the role-based MFA feature. This criteria is a boolean type filter criteria which denotes whether role-based MFA is enabled for the user.​
    User-based MFA Use to filter based on the user-based MFA feature. This criteria is a boolean type filter criteria which denotes whether user-based MFA is enabled for the user.​
    Trusted mobile app Trusted mobile app filter for enabling instance access from mobile app.