In the Workspace ONE Access service, you can create an access policy with rules that let users progress to the next rule if the authentication fails on the present rule. Normally, execution of the access policy terminates when the conditions in the first matching rule are executed.

This policy rule progression option allows rule evaluation to progress to the next matching rule in the policy if the authentication fails on the present rule. When you enable the progress to the next rule option, you can configure each of the progressive rules with network ranges, device type, and group membership conditions for different sets of users.

For example, if you want to allow regular employees to use Certificate (cloud deployment) as their authentication method, and contract employees to use Password as their authentication method, you can enable the rule progression option If authentication fails, progress to the next rule in your default access policy. You create a group-based rule that uses Certificate (cloud deployment) as the authentication method for regular employees and another group-based rule with Password as the authentication method for contract employees.

Example of the access policy configuration follows.

Rule 1 configuration:
  • Network range is ALL NETWORKS
  • Users can access the content from Any
  • Users belong to the group All Users
  • Authenticate using Certificate (cloud deployment)
  • If authentication fails, progress to the next rule toggle is enabled

When any users attempt to log in, the first rule is present to them. Users who use Certificate (cloud deployment) are authenticated. Users who do not use Certificate (cloud deployment) are presented with the second rule.

Rule 2 configuration:
  • Network range is ALL NETWORKS
  • Users can access the content from Any
  • Users belong to the group Contract Workers
  • Authenticate using Password (cloud deployment)
  • If authentication fails, progress to the next rule toggle is deactivated

When contract users are presented with the second rule, they are asked to enter their password. When they do, they are authenticated. Because If authentication fails, progress to the next rule is deactivated, if a user is denied access, no other rule is presented.

For each policy rule you create, you can create a custom access denied error message that displays when users attempt to sign in and fail because their credentials are invalid. If you configure a custom error message when If authentication fails, progress to the next rule is enabled, the custom error message and links configured in the first rule are executed for subsequent rules unless you configure a new custom error message for subsequent rules.

Procedure

  1. In the Workspace ONE Access console Resources > Policies page, add a policy or edit an existing policy.
  2. In Applies to, select the applications that this policy applies to.
    If you do not select any applications, this policy applies when users log into the Workspace ONE Intelligent Hub portal.
  3. Click Next to open the Configuration page.
  4. Select the rule name to edit, or to add a policy rule, click Add Policy Rule.
    Option Description
    If a user's network range is Verify that the network range is correct, If adding a rule, select the network range.
    and the user accessing content from Select the device type that this rule manages.
    and user belongs to groups Select the group that this rule applies to.
    Then perform this action Select Authenticate using....
    then the user may authenticate using Configure the first authentication method to use. For example, Certificate (cloud deployment).
    If the preceding methods fails or is not applicable, then (optional) Configure fallback authentication methods.
    If authentication fails, then progress to the next rule To set up this rule to progress to the next rule in the policy if authentication fails, enable this option.
    Re-authenticate after Select the length of the session after which users must authenticate again.

    When If authentication fails, then progress to the next rule is enabled, re-authentication is determined from the last rule that is executed.
  5. (Optional) In Advanced Properties, if you enabled If authentication fails, then progress to the next rule, you can create a custom access error message that displays when user authentication fails that explains the progress to the next rule. The custom error message and links configured in the first rule are executed for subsequent rules unless you configure a new custom error message for subsequent rules.
  6. Click Next and click Save.
  7. Click ADD POLICY RULE and continue to configure the rules to progress to another rule when authentication fails.
  8. After you configure the last rule in the policy, deactivate If authentication fails, then progress to the next rule.