The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

Skip to end of metadata
  • Created by Former user, last modified by Former user on Feb 22, 2008
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 3 Next »

Configuring the IdP for IP Authentication

This authentication handler supports "authenticating" users based on their IP Address.

Defining the Authentication Handler

The ip address authentication handler is defined in the handler.xml configuration file in the following manner:

  • An LoginHandler element with an xsi:type="IPAddress" attribute
  • An username attribute, located on the AuthenticationHandler element, that defines the username used for all users
  • An defaultDeny attribute, located on the AuthenticationHandler element, that defines whether to accept or deny by default
  • One or more child AuthenticationMethod elements that give the authentication methods supported by this handler
  • One or more child IPEntry elements that define the IP addresses and ranges to allow or deny, in CIDR notation
Example IPAddress Authentication Handler Configuration
<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true">
    <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod>
    <IPEntry>192.168.0.0/16</IPEntry>
</LoginHandler>

The above example will allow anyone with an IP address between 192.168.0.0 and 192.168.255.255 to be authenticated as the user ip-user

An IP CIDR Calculator may help in calculating the CIDR notation for an IP range.

  • No labels