logo

NJP

← Back to News

How to block local logins and allow only SSO user logins in ServiceNow? -- Part1

New article articles in ServiceNow Community · Jul 17, 2025 · article

Hello Everyone!

Here I have demostrated how can you configure the Adaptive Authentication policy to allow the sso user logins and block the local logins via two different approaches and both these approaches are available in the Servicenow out of box, without customising any single lines of scripts.

Recommended Playback speed - 1.25x

Text I have used during the demostration -

Demo - How to create a policy that blocks the local logins and allow only SSO user logins.

Requirement -

- Local logins should be blocked.

- SSO Users (users logging in via SAML or OIDC Identity provider ) should be allowed to login.

Additional Requirement -

- There should be exceptions to allow a few handful users to do the local login

- This exception can be based on the specific users, groups or user roles.

- These users should have full admin access (optional).

Approach 1:

- Use the existing Account Recovery feature. There is already a feature which caters this exact requirement.

- If we want to cater the additional requirements, then we may have to make additional changes in the existing policy or create a new policy for Account Recovery Context.

- https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/single-sign-on/concept/sso-acct-recovery.html

- https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/single-sign-on/concept/account-recovery-context.html

Approach 2:

- Use the Post Auth Policy context of Adaptive Authentication framework and modify the policy to handle both main requirement and additional requirements.

- https://www.servicenow.com/docs/bundle/yokohama-platform-security/page/integrate/authentication/concept/post-auth-context.html

-----------------------------------------------------------------------------------------------------------------------------------------

Filters which are to be used -

1: Role Filter Criteria - hasAdminRole (role = admin)

2: Authentication Type ( Authentication type = username and password / SSO Login)

-----------------------------------------------------------------------------------------------------------------------------------------

I will be adding additional details about below points -

1: Why Account Recovery approach is recommended?

2: What to do additionally to secure the local logins if you are allowing some privileged users (with sensitive roles like admin, user_admin etc) to do local login?

View original source

https://www.servicenow.com/community/platform-privacy-security/how-to-block-local-logins-and-allow-only-sso-user-logins-in/ta-p/3325161