Filter criteria

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Filter criteria

    Filter criteria, also known as policy inputs, are essential components used in ServiceNow adaptive authentication policies to evaluate and enforce authentication requirements. These criteria enable you to verify key attributes of an authentication request, such as the user's IP address, roles, groups, and other attributes, ensuring that authentication aligns with your organization's security policies. Filter criteria are configured within the Policy conditions section of your authentication policies.

    Show full answer Show less

    Key Features

    • Seven Filter Criteria Types: These include IP, Role, Group, Location, Identity Provider Attribute filters, plus four generic filter criteria to comprehensively evaluate authentication requests.
    • IP Filter Criteria: Filters users based on IPv4 or IPv6 addresses.
    • Role and Group Filter Criteria: Filter users by their assigned roles or group memberships within ServiceNow.
    • Location Filter Criteria: Enables filtering based on a user's physical or network location; available with the Zero Trust Access feature.
    • Identity Provider Attribute Filter: Uses attributes received from SAML responses to refine authentication decisions.
    • Generic Filter Criteria: Includes Authentication Scheme (local login vs. various SSO types), Identity Provider reference, Role-based MFA, User-based MFA, and Trusted Mobile App filters. These provide granular control over authentication flows and require specific plugins for activation.
    • Zero Trust Access Integration: Location and Identity Provider filters are part of the Zero Trust Access feature, enhancing security posture.

    Practical Use and Benefits

    By applying these filter criteria in authentication policies, ServiceNow customers can:

    • Enforce security policies tailored to specific users based on their roles, groups, or locations.
    • Control access with precise conditions considering IP ranges, identity providers, and authentication schemes.
    • Leverage multi-factor authentication filters to require additional verification where necessary.
    • Enhance mobile access security through trusted mobile app filters.
    • Integrate with Zero Trust Access to strengthen policy enforcement based on location and identity provider attributes.

    This granular filtering capability ensures that authentication requests meet organizational security requirements, reducing unauthorized access risks while maintaining user convenience.

    Filter criteria (also called policy inputs) are used as inputs for policy conditions to verify and meet the requirements of an authentication request.

    Use filter criteria to supply information authentication policies such as a user's IP address, roles, or groups. Add these criteria in the Policy conditions section of your policies.

    There are seven types of filter criteria used in adaptive authentication. Your authentication policies can use one or more of these criteria to evaluate authentication requests.

    Note:
    Location filter and Identity Provider filter are available with Zero Trust Access feature. For more information, see Zero Trust Access.
    Table 1. Filter criteria types
    Type Description
    IP filter criteria Use IP filter criteria to filter users based on the user's IP addresses. Both IPv4 and IPv6 are supported.
    Role filter criteria Use role filter criteria to filter users based on their roles.
    Group filter criteria Use group filter criteria to filter users based on the user group to which the user belongs.
    Location filter criteria Use location filter criteria to filter users based on the user location.
    Identity Provider Attribute filter criterias Use the Identity Provider attributes that are received from SAML response from the IdP as a filter criteria for authentication.

    Generic Criteria

    In addition to the previously listed types, there are four generic filter criteria. These criteria do not appear in your filter navigator, but you can select them while adding policy inputs to your authentication policies.

    Table 2. Generic filter criteria types
    Type Description
    Authentication Scheme Use to filter based on user's authentication scheme. This criteria is a choice type with two options:
    • User name and Password, which denotes a local login​
    • SSO, which denotes a Multi-SSO(SAML, OIDC, or Digest) based login.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Identity Provider Use to filter based on the user's identity provider. Use along with the authentication scheme criteria to have granular control over login process. This criteria is a reference to the Identity Providers [sso_properties] table.
    Note:
    This Filter Criteria is available only when the Integration - Multiple Provider Single Sign-On Installer[com.snc.integration.sso.multi.installer] plugin is installed.
    Role-based MFA Use to filter based on the role-based MFA feature. This criteria is a boolean type filter criteria which denotes whether role-based MFA is enabled for the user.​
    User-based MFA Use to filter based on the user-based MFA feature. This criteria is a boolean type filter criteria which denotes whether user-based MFA is enabled for the user.​
    Trusted mobile app Trusted mobile app filter for enabling instance access from mobile app.