Configuring the IdP for IP Authentication

This authentication handler supports "authenticating" users based on their IP Address.

Define the Login Handler

This login handler is defined with the element <LoginHandler xsi:type="IPAddress"> with the following required attribute:

• username - the username used for authenticated users

and the following optional attributes:

• defaultDeny - boolean flag that indicated whether to accept or reject specified IP addresses; default: false
• authenticationDuration - length of time in minutes that the authentication method associated with this login handler is active; default: 30 minutes

Additionally the login handler must contain one or more of the following elements

• <AuthenticationMethod> - element whose content is the authentication method(s) serviced by the login handler.
• <IPEntry> - IP addresses and ranges to allow (if defaultDeny is true) or deny (if defaultDeny is false), in CIDR notation

<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true">
    <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod>
    <IPEntry>192.168.0.0/16</IPEntry>
</LoginHandler>

The above example will allow anyone with an IP address between 192.168.0.0 and 192.168.255.255 to be authenticated as the user ip-user

An IP CIDR Calculator may help in calculating the CIDR notation for an IP range.