In the Workspace ONE Access service, you can create an access policy with rules that let users progress to the next rule if the authentication fails on the present rule. Normally, execution of the access policy terminates when the conditions in the first matching rule are executed.
This policy rule progression option allows rule evaluation to progress to the next matching rule in the policy if the authentication fails on the present rule. When you enable the progress to the next rule option, you can configure each of the progressive rules with network ranges, device type, and group membership conditions for different sets of users.
For example, if you want to allow regular employees to use Certificate (cloud deployment) as their authentication method, and contract employees to use Password as their authentication method, you can enable the rule progression option If authentication fails, progress to the next rule in your default access policy. You create a group-based rule that uses Certificate (cloud deployment) as the authentication method for regular employees and another group-based rule with Password as the authentication method for contract employees.
Example of the access policy configuration follows.
- Network range is ALL NETWORKS
- Users can access the content from Any
- Users belong to the group All Users
- Authenticate using Certificate (cloud deployment)
- If authentication fails, progress to the next rule toggle is enabled
When any users attempt to log in, the first rule is present to them. Users who use Certificate (cloud deployment) are authenticated. Users who do not use Certificate (cloud deployment) are presented with the second rule.
- Network range is ALL NETWORKS
- Users can access the content from Any
- Users belong to the group Contract Workers
- Authenticate using Password (cloud deployment)
- If authentication fails, progress to the next rule toggle is deactivated
When contract users are presented with the second rule, they are asked to enter their password. When they do, they are authenticated. Because If authentication fails, progress to the next rule is deactivated, if a user is denied access, no other rule is presented.
For each policy rule you create, you can create a custom access denied error message that displays when users attempt to sign in and fail because their credentials are invalid. If you configure a custom error message when If authentication fails, progress to the next rule is enabled, the custom error message and links configured in the first rule are executed for subsequent rules unless you configure a new custom error message for subsequent rules.