The Directories Management service attempts to authenticate users based on the authentication methods, the default access policy, network ranges, and the identity provider instances you configure.

When users attempt to log in, the service evaluates the default access policy rules to select which rule in the policy to apply. The authentication methods are applied in the order they are listed in the rule. The first identity provider instance that meets the authentication method and network range requirements of the rule is selected. The user authentication request is forwarded to the identity provider instance for authentication. If authentication fails, the next authentication method configured in the rule is applied.

You can add rules that specify the authentication methods to be used by either the device type or by the device type and from a specific network range. For example, you might configure a rule that requires users who sign in using iOS devices from a specific network to authenticate using RSA SecurID. Then configure another rule that requires users who sign in using any type of device from the internal network IP address to authenticate using their password.