The Directories Management service attempts to authenticate users based on the authentication methods, the default access policy, network ranges, and the identity provider instances you configure.

When users attempt to log in, the service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first identity provider instance that meets the authentication method and network range requirements of the rule is selected and the user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method configured in the rule is applied.

You can add rules that specify the authentication methods to be used by device type or by device type and from a specific network range. For example, you could configure a rule requiring users that sign in using iOS devices from a specific network to authenticate using RSA SecurID and another rule that specifies all device types signing in from the internal network IP address to authenticate using their password.