IdPAuthIP
Configuring the IdP for IP Authentication
This authentication handler supports "authenticating" users based on their IP Address.
Define the Login Handler
This login handler is defined with the element <LoginHandler xsi:type="IPAddress">
with the following required attribute:
- username - the username used for authenticated users
and the following optional attributes:
- defaultDeny - boolean flag that indicated whether to accept or reject specified IP addresses; default: false
- authenticationDuration - length of time in minutes that the authentication method associated with this login handler is active; default: 30 minutes
Additionally the login handler must contain one or more of the following elements
<AuthenticationMethod>
- element whose content is the authentication method(s) serviced by the login handler.<IPEntry>
- IP addresses and ranges to allow (ifdefaultDeny
is true) or deny (ifdefaultDeny
is false), in CIDR notation
Example IPAddress Authentication Handler Configuration
<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true"> <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod> <IPEntry>192.168.0.0/16</IPEntry> </LoginHandler>
The above example will allow anyone with an IP address between 192.168.0.0
and 192.168.255.255
to be authenticated as the user ip-user
An IP CIDR Calculator may help in calculating the CIDR notation for an IP range.