Page tree
Skip to end of metadata
Go to start of metadata

Configuring the IdP for IP Authentication

This authentication handler supports "authenticating" users based on their IP Address.

Define the Login Handler

This login handler is defined with the element <LoginHandler xsi:type="IPAddress"> with the following required attribute:

  • username - the username used for authenticated users

and the following optional attributes:

  • defaultDeny - boolean flag that indicated whether to accept or reject specified IP addresses; default: false
  • authenticationDuration - length of time in minutes that the authentication method associated with this login handler is active; default: 30 minutes

Additionally the login handler must contain one or more of the following elements

  • <AuthenticationMethod> - element whose content is the authentication method(s) serviced by the login handler.
  • <IPEntry> - IP addresses and ranges to allow (if defaultDeny is true) or deny (if defaultDeny is false), in CIDR notation
Example IPAddress Authentication Handler Configuration
<LoginHandler xsi:type="IPAddress" username="ip-user" defaultDeny="true">
    <AuthenticationMethod>urn:oasis:names:tc:SAML:2.0:ac:classes:InternetProtocol</AuthenticationMethod>
    <IPEntry>192.168.0.0/16</IPEntry>
</LoginHandler>

The above example will allow anyone with an IP address between 192.168.0.0 and 192.168.255.255 to be authenticated as the user ip-user

An IP CIDR Calculator may help in calculating the CIDR notation for an IP range.

  • No labels