Restricting Access to Automated SSO Agent IdPs Using Authentication Source Access Rules

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Nov 15, 2019
Version 41Show Document
  • View in full screen mode
 
 

An SSO Agent IdP that is configured for automatic use (see Authentication Sources) can filter user access using authentication source access rules. You create these rules by setting ranges of IP addresses that RSA SecurID Access uses to allow or deny access to the particular IdP for automatic authentication. Only users within allowed IP address ranges can initiate automatic authentication using the configured IdP.

Rule Evaluation

RSA SecurID Access evaluates authentication source access rules using eXtensible Access Control Markup Language (XACML). XACML lets you combine multiple access rules by using policy combination options to control rule evaluation.

                      
Policy Combination Option Description
Deny Overrides (Default) Deny takes precedence over allow. Rule processing stops as soon as a deny is matched. This is the most restrictive option.
Allow Overrides Allow takes precedence over deny. Rule processing stops as soon as an allow rule is matched. This is the least restrictive option.
First Applicable Rule processing stops as soon as any rule is matched.
 

If an IdP is prioritized above Portal in the authentication sources list, and the authentication source policy uses the First Applicable policy combination, the policy automatically redirects application portal users to the IdP even if they do not explicitly match any criteria in the policy. To explicitly deny users from all IP addresses, add a rule to the bottom of the authentication source policy. If a user does not match any Allow Overrides rules in the policy, this rule prevents them from being redirected to the IdP.

Example Scenarios for Authentication Source Access Rules and Policy Combinations

The following example scenarios demonstrate the effect of policy combination options on sets of authentication source access rules. The examples use the IP:Netmask format for expressing IP address ranges.

Note:  The access rules and their order are identical in the first three examples. In the fourth (final) example, rule 3 is moved up to be the first rule evaluated, demonstrating how the order of rules helps determine access control when using the First Applicable policy combination option.

This example shows the effect of the Deny Overrides policy combination.

              
Authentication Source Access Rules Effect of Deny Overrides Policy Combination

Allow From IP_RANGE 10.0.0.0:255.0.0.0

Allow From IP_RANGE 192.168.0.0:255.255.0.0

Deny From IP_RANGE 0.0.0.0:0.0.0.0

All users are denied access because IP range 0.0.0.0:0.0.0.0 matches all IP addresses.

This example shows the effect of the Allow Overrides policy combination.

              
Authentication Source Access Rules Effect of Allow Overrides Policy Combination

Allow From IP_RANGE 10.0.0.0:255.0.0.0

Allow From IP_RANGE 192.168.0.0:255.255.255.0

Deny From IP_RANGE 0.0.0.0:0.0.0.0

Only users within IP address ranges 10.0.0.0:255.0.0.0 and 192.168.0.0:255.255.255.0 are allowed access. All other users are denied.

These examples show the effect of the First Applicable policy combination.

                  
Authentication Source Access Rules Effect of First Applicable Policy Combination

Allow From IP_RANGE 10.0.0.0:255.0.0.0

Allow From IP_RANGE 192.168.0.0:255.255.255.0

Deny From IP_RANGE 0.0.0.0:0.0.0.0

Only users within IP address ranges 10.0.0.0:255.0.0.0 and 192.168.0.0:255.255.255.0 are allowed access. All other users are denied.

Deny From IP_RANGE 0.0.0.0:0.0.0.0

Allow From IP_RANGE 10.0.0.0:255.0.0.0

Allow From IP_RANGE 192.168.0.0:255.255.255.0

All users are denied access because IP range 0.0.0.0:0.0.0.0 matches all IP addresses. No other rules are evaluated.

Default Rule

The default rule allows all users access to automatic IdP authentication. RSA SecurID Access applies the default rule in both of the following cases:

  • You do not specify any access rules. For example, if you configure the Deny or Allow Overrides policy combination without access rules, then all users are permitted access from all IPs.

  • You specify access rules but the user does not match the rules.

The following examples show results when the default rule is applied and no users match the access rules.

                       
Authentication Source Access RulesResults of Deny or Allow Overrides Policy Combination with No Rule Matches
Deny From IP_RANGE 172.0.0.0:255.0.0.0 All users are permitted access except the users from IP range 172.0.0.0:255.0.0.0, even though an explicit Allow Access rule is not defined.
Deny From IP_NOT_IN_RANGE 172.0.0.0:255.0.0.0Only users from IP range 172.0.0.0:255.0.0.0 are permitted access, even though an explicit Allow Access rule is not defined.

Allow From IP_RANGE 10.0.0.0:255.0.0.0

Deny From IP_RANGE 172.0.0.0:255.0.0.0

Users from IP range 192.168.0.0:255.255.0.0 are permitted access even though no explicit rule matches. It also implies that users from any IP range except 172.0.0.0:255.0.0.0 are permitted access.

 

 

 

We want your feedback! Tell us what you think of this page.

You are here
Table of Contents > Identity Providers > Restricting Access to Automated SSO Agent IdPs Using Authentication Source Access Rules

Attachments

    Outcomes