The Shibboleth V2 IdP and SP software have reached End of Life and are no longer supported. This documentation is available for historical purposes only. See the IDP v4 and SP v3 wiki spaces for current documentation on the supported versions.

IdPAuthIP

Configuring the IdP for IP Authentication

This authentication handler supports "authenticating" users based on their IP Address.

Define the Login Handler

This login handler is defined with the element <LoginHandler xsi:type="IPAddress"> with the following required attribute:

  • username - the username used for authenticated users

and the following optional attributes:

  • defaultDeny - boolean flag that indicated whether to accept or reject specified IP addresses; default: false
  • authenticationDuration - length of time in minutes that the authentication method associated with this login handler is active; default: 30 minutes

Additionally the login handler must contain one or more of the following elements

  • <AuthenticationMethod> - element whose content is the authentication method(s) serviced by the login handler.
  • <IPEntry> - IP addresses and ranges to allow (if defaultDeny is true) or deny (if defaultDeny is false), in CIDR notation
Example IPAddress Authentication Handler Configuration
<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true">
    <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod>
    <IPEntry>192.168.0.0/16</IPEntry>
</LoginHandler>

The above example will allow anyone with an IP address between 192.168.0.0 and 192.168.255.255 to be authenticated as the user ip-user

An IP CIDR Calculator may help in calculating the CIDR notation for an IP range.