IdPAuthIP

Configuring the IdP for IP Authentication

This authentication handler supports "authenticating" users based on their IP Address.

Define the Login Handler

This login handler is defined with the element <LoginHandler xsi:type="IPAddress"> with the following required attribute:

  • username - the username used for authenticated users

and the following optional attributes:

  • defaultDeny - boolean flag that indicated whether to accept or reject specified IP addresses; default: false
  • authenticationDuration - length of time in minutes that the authentication method associated with this login handler is active; default: 30 minutes

Additionally the login handler must contain one or more of the following elements

  • <AuthenticationMethod> - element whose content is the authentication method(s) serviced by the login handler.
  • <IPEntry> - IP addresses and ranges to allow (if defaultDeny is true) or deny (if defaultDeny is false), in CIDR notation
Example IPAddress Authentication Handler Configuration
<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true">
    <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod>
    <IPEntry>192.168.0.0/16</IPEntry>
</LoginHandler>

The above example will allow anyone with an IP address between 192.168.0.0 and 192.168.255.255 to be authenticated as the user ip-user

An IP CIDR Calculator may help in calculating the CIDR notation for an IP range.