Filter criteria

  • Release version: Xanadu
  • Updated August 1, 2024
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Filter Criteria

    Filter criteria, also known as policy inputs, are essential for defining authentication policies in ServiceNow. They help to verify and satisfy the requirements of an authentication request by providing specific information such as a user's IP address, roles, or groups. These criteria are added in the Policy conditions section of your policies and can utilize one or more of the available types for evaluating authentication requests.

    Show full answer Show less

    Key Features

    • IP Filter Criteria: Filters users based on their IP addresses (supports both IPv4 and IPv6).
    • Role Filter Criteria: Filters users according to their assigned roles.
    • Group Filter Criteria: Filters users based on their user group memberships.
    • Location Filter Criteria: Filters users by their location.
    • Identity Provider Attribute Filter: Utilizes attributes from SAML responses to filter authentication requests.
    • Generic Criteria: Includes four additional criteria not listed in the filter navigator, such as:
      • Authentication Scheme: Filters based on the user's authentication method (local login or Multi-SSO).
      • Identity Provider: Filters based on the user's identity provider, allowing for more precise control.
      • Role-based MFA: Indicates whether role-based multi-factor authentication is enabled for the user.
      • User-based MFA: Indicates whether user-based multi-factor authentication is enabled for the user.
      • Trusted Mobile App: Enables instance access from a mobile app.

    Key Outcomes

    Implementing these filter criteria allows ServiceNow customers to enhance their authentication processes by adding layers of security based on user attributes and behaviors. This ensures that only authorized users can access sensitive information, thereby improving overall system security and compliance with organizational policies.

    Filter criteria (also called policy inputs) are used as inputs for policy conditions to verify and meet the requirements of an authentication request.

    Use filter criteria to supply information authentication policies such as a user's IP address, roles, or groups. Add these criteria in the Policy conditions section of your policies.

    There are seven types of filter criteria used in adaptive authentication. Your authentication policies can use one or more of these criteria to evaluate authentication requests.

    Note:
    Location filter and Identity Provider filter are available with Zero Trust Access feature. For more information, see Zero Trust Access.
    Table 1. Filter criteria types
    Type Description
    IP filter criteria Use IP filter criteria to filter users based on the user's IP addresses. Both IPv4 and IPv6 are supported.
    Role filter criteria Use role filter criteria to filter users based on their roles.
    Group filter criteria Use group filter criteria to filter users based on the user group to which the user belongs.
    Location filter criteria Use location filter criteria to filter users based on the user location.
    Identity Provider Attribute filter criterias Use the Identity Provider attributes that are received from SAML response from the IdP as a filter criteria for authentication.

    Generic Criteria

    In addition to the previously listed types, there are four generic filter criteria. These criteria do not appear in your filter navigator, but you can select them while adding policy inputs to your authentication policies.

    Table 2. Generic filter criteria types
    Type Description
    Authentication Scheme Use to filter based on user's authentication scheme. This criteria is a choice type with two options:
    • User name and Password, which denotes a local login​
    • SSO, which denotes a Multi-SSO(SAML, OIDC, or Digest) based login.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Identity Provider Use to filter based on the user's identity provider. Use along with the authentication scheme criteria to have granular control over login process. This criteria is a reference to the Identity Providers [sso_properties] table.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Role-based MFA Use to filter based on the role-based MFA feature. This criteria is a boolean type filter criteria which denotes whether role-based MFA is enabled for the user.​
    User-based MFA Use to filter based on the user-based MFA feature. This criteria is a boolean type filter criteria which denotes whether user-based MFA is enabled for the user.​
    Trusted mobile app Trusted mobile app filter for enabling instance access from mobile app.