Configuring the IdP for IP Authentication
This authentication handler supports "authenticating" users based on their IP Address.
Defining the Authentication Handler
The ip address authentication handler is defined in the handler.xml configuration file in the following manner:
- An LoginHandler element with an xsi:type="IPAddress" attribute
- An username attribute, located on the AuthenticationHandler element, that defines the username used for all users
- An defaultDeny attribute, located on the AuthenticationHandler element, that defines whether to accept or deny by default
- One or more child AuthenticationMethod elements that give the authentication methods supported by this handler
- One or more child IPEntry elements that define the IP addresses and ranges to allow or deny, in CIDR notation
Example IPAddress Authentication Handler Configuration
<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true"> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod> <IPEntry>192.168.0.0/16</IPEntry> </LoginHandler>
The above example will allow anyone with an IP address between 192.168.0.0
and 192.168.255.255
to be authenticated as the user ip-user
An IP CIDR Calculator may help in calculating the CIDR notation for an IP range.