The Directories Management service attempts to authenticate users based on the authentication methods, the default access policy, network ranges, and the identity provider instances you configure.

When users attempt to log in, the service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first identity provider instance that meets the authentication method and network range requirements of the rule is selected and the user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method configured in the rule is applied.

You can set up authentication methods to be different for internal user and external user log ins. For example, you could set up the Active Directory password or Kerberos authentication methods for internal users and RSA SecurID authentication method for external users. Users attempting to access their apps portal from inside the organization's network are directed to an identity provider instance that provides Kerberos authentication or password authentication. Users outside the network are directed to an identity provider instance that provides RSA SecurID authentication.