/
IPRangePredicate
IPRangePredicate
The org.opensaml.profile.logic.IPRangePredicate class in OpenSAML provides a simple condition you can create and use for performing checks between a client’s IP address and one more or CIDR network ranges supplied to test against.
Example
Given a script of some kind (an MFA rule in the example), you can inject the predicate to perform a test as part of some kind of business logic. The example demonstrates the common technique of using a map bean to allow both the condition and the actual servlet request to be accessed so that the client’s address can also be logged.
<util:map id="my.CustomObjects">
<entry key="condition">
<bean class="org.opensaml.profile.logic.IPRangePredicate"
p:httpServletRequestSupplier-ref="shibboleth.HttpServletRequestSupplier"
p:ranges="#{ {'10.0.0.0/8', '192.168.3.0/24', '192.168.18.0/24} }" />
</entry>
<entry key="request" value-ref="shibboleth.HttpServletRequestSupplier" />
</util:map>
<!-- Example script to see if second factor is required. Currently just returns the DuoOIDC flow -->
<bean id="checkSecondFactor" parent="shibboleth.ContextFunctions.Scripted" factory-method="inlineScript"
p:customObject-ref="my.CustomObjects">
<constructor-arg>
<value>
<![CDATA[
// set logging
logger = Java.type("org.slf4j.LoggerFactory").getLogger("org.example.mfa.script");
// default to secondfactor
var nextFlow = "authn/SecondFactor";
// check if client is internal
if (custom["condition"].test(input)) {
logger.info("request excluded from MFA, address {} in internal IP range", custom["request"].get().getRemoteAddr());
nextFlow = null;
}
nextFlow; // pass control to second factor or end with the first
]]>
</value>
</constructor-arg>
</bean>
, multiple selections available,
Related content
ORConfiguration
ORConfiguration
More like this
IPAddressAuthnConfiguration
IPAddressAuthnConfiguration
More like this
OPCustomRedirectUriValidation
OPCustomRedirectUriValidation
More like this
PredefinedBeans
PredefinedBeans
Read with this
ScriptConfiguration
ScriptConfiguration
More like this
AccessControlConfiguration
AccessControlConfiguration
More like this