The Account Recovery (ACR) feature in ServiceNow provides administrators with a failsafe mechanism to regain access to an instance in case of Single Sign-On (SSO) issues, such as misconfigurations, expired certificates, or identity provider failures. Without ACR, recovery can be complex, leading to prolonged downtime and increased security risks. Enabling this feature ensures a reliable recovery method while maintaining instance security and continuity.
Resolution Steps
1. Enable the Account Recovery Feature
Navigate to System Properties in ServiceNow.
Locate the property glide.sso.acr.enabled and set its value to true.
Save the changes to activate ACR functionality.
2. Configure an Administrator for Recovery
Ensure at least one administrator account is designated for account recovery before enabling SSO.
This admin account should have appropriate permissions to regain instance access in case of authentication failures.
3. Address Domain-Separated Instances (if applicable)
If your instance uses domain separation, follow the ServiceNow Remediation Playbook to ensure proper ACR functionality.
Test account recovery in a non-production environment before rolling it out in production.
4. Activate the Multi-SSO Plugin
Navigate to System Definition > Plugins.
Search for Multi-SSO Plugin and ensure it is installed and active.
This plugin is necessary for managing authentication mechanisms, including ACR.
5. Enroll as an ACR User
Enroll a designated admin account as an ACR user for all instances.
Test account recovery by simulating an SSO failure and verifying that the ACR login process works correctly.
By enabling Account Recovery (ACR), administrators can mitigate the risks associated with SSO failures, ensuring continued access to their ServiceNow instance. This feature enhances security while reducing the operational overhead of manually recovering from authentication issues.
For more detailed guidance on resolving this issue, please contact us at support@dt-advisory.ch.