Account recovery (ACR)

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Account recovery (ACR)

    Account recovery (ACR) in ServiceNow enables administrators to bypass Single Sign-On (SSO) login issues, such as misconfigurations or expired certificates, by providing a secure way to access instances without relying on SSO. When ACR is enabled, local interactive logins using username and password are disabled to strengthen security while allowing recovery activities.

    Show full answer Show less

    Key Features

    • Bypass SSO Login: Administrators can use ACR to log in independently of SSO to resolve issues.
    • Self-Service Recovery Flows: Provides capabilities for administrators to recover access during SSO failures or certificate expiration.
    • Security Controls: Reduces unauthorized access and enforces strong authentication by requiring multi-factor authentication (MFA) and password setup for local login.
    • Integration: ACR is delivered with the Multi-SSO plugin (com.snc.integration.sso.multi.installer) and controlled via system properties.

    Enabling ACR

    For Fresh Instances

    • Activate the Multi-SSO plugin.
    • Enable the ACR property (glide.sso.acr.enabled), which is enabled by default on fresh instances.
    • Before enabling SSO (glide.authenticate.multisso.enabled), enroll at least one administrator as an ACR user.
    • Set a password for local login and register MFA for ACR users.
    • Note: To allow username/password login, ACR must be disabled explicitly.

    For Upgraded Instances

    • Activate the Multi-SSO plugin.
    • Manually enable ACR via the system property.
    • Enroll administrators as ACR users by setting passwords and registering MFA before enabling SSO.
    • SSO will continue to function without ACR users if upgrading from previous releases, but ACR is recommended.

    Configuring Account Recovery Users

    At least one administrator account must be registered as an ACR user before activating SSO on the instance. This ensures an emergency access method is always available. Registration includes setting a local password and MFA enrollment. For detailed steps, use the Account Recovery Properties page in the platform.

    Account Recovery Policy and Context

    Once ACR users are registered and SSO is enabled, local login is restricted according to the SSO - ACR Context authentication policy. This policy context governs authentication behavior during account recovery scenarios and is part of adaptive authentication controls within ServiceNow.

    Practical Benefits for ServiceNow Customers

    • Ensures administrators maintain access to instances despite SSO failures or certificate issues.
    • Improves security by disabling local logins when SSO is active, reducing attack vectors.
    • Enables smooth onboarding of SSO with a fallback mechanism, avoiding lockouts.
    • Allows customization of recovery behavior through system properties for flexible management.

    Administrators can configure account recovery (ACR) to perform recovery activities such as addressing SSO misconfiguration or expired certificates.

    Note:
    Enabling ACR disables the local interactive log-ins (username or password based) when SSO is enabled to your instances.

    ACR provides the following capabilities:

    • Bypass your single sign-on (SSO) login to address issues with SSO configuration as an administrator.
    • Log in with using SSO to perform tasks with an administrator account configured as an account recovery.
    • ACR flows enable the administrators to use self-service capabilities to address account recovery when there’s a need for recovery, for example, SSO miss-configuration, expired certificates.
    • Reduce unauthorized access to the instance and provide a strong foundation to use ACR outside SSO use cases.

    Fresh Instance

    For a fresh instance to use ACR, you must do the following:

    • Activate Mutli-SSO plugin (com.snc.integration.sso.multi.installer)
    • Enable ACR (glide.sso.acr.enabled) - This is enabled by default in case of a fresh instance.
    • Before enabling SSO property (glide.authenticate.multisso.enabled), the administrator must enroll as an ACR user.
      Note:
      Setting this property to false will not disable multi-provider SSO if Account Recovery (ACR) is also enabled on the instance. To log in with a username and password ACR must also be disabled using the glide.sso.acr.enabled property. For details on this property see Account recovery properties.
    • Administrator must set a password for local login and register MFA before enrolling as an ACR user.

    Upgraded Instance

    For an upgraded instance to use ACR, you must do the following:

    • Activate Mutli-SSO plugin (com.snc.integration.sso.multi.installer)
    • Enable ACR (glide.sso.acr.enabled)
      Note:
      In case of upgraded instance, the administrator must enable ACR.
    • Before enabling SSO property (glide.authenticate.multisso.enabled), the administrator must enroll as an ACR user.
    • Administrator must set a password for local login and register MFA before enrolling as an ACR user.

    Configure account recovery users

    To use account recovery, you must register at least one admin account as an account recovery user. Single sign-on can’t be activated on your instance until there is at least one account configured. For details on this process, see Configure an account recovery user from the Account Recovery Properties page.
    Note:
    If you’re upgrading an instance already using single sign-on to Rome or a later release, single-sign on will continue to function without a recovery user configured.

    Account recovery configuration

    The account recovery feature is included with the Integration - Multiple Provider Single Sign-On Installer (com.snc.integration.sso.multi.installer) plugins. The feature is enabled by default. You can change this and other account recovery settings using system properties. For details on these properties, see Account recovery properties.

    Account recovery policy context

    After you’ve registered an account recovery user and enabled single sign-on (SSO), your instance restricts all local logins. This restriction is defined in the SSO - ACR Context auth policy context. For more information about the context, see Account recovery context.

    For details on how authentication policies and policy contexts, and how they work on your instance, see Adaptive authentication.