Restricting Access to Automated IdPs Using Authentication Source Access Rules

Document created by RSA Information Design and Development on Jul 14, 2016Last modified by RSA Information Design and Development on Oct 20, 2017
Version 20Show Document
  • View in full screen mode
 
 

An IdP that is configured for automatic use (see Authentication Sources) can filter user access using authentication source access rules. To create authentication source access rules, you set ranges of IP addresses that RSA SecurID Access uses to allow or deny access to the particular IdP for automatic authentication. Only users within allowed IP address ranges can initiate automatic authentication using the configured IdP. If you do not set any access rules, RSA SecurID Access applies the default rule which allows all users access to automatic IdP authentication.

RSA SecurID Access evaluates authentication source access rules using eXtensible Access Control Markup Language (XACML). XACML lets you combine multiple access rules by using policy combination options to control rule evaluation.

                      
Policy Combination Option Description
Deny Overrides (Default) Deny takes precedence over allow. Rule processing stops as soon as a deny is matched. This is the most restrictive option.
Allow Overrides Allow takes precedence over deny. Rule processing stops as soon as an allow rule is matched. This is the least restrictive option.
First Applicable Rule processing stops as soon as any rule is matched.
 

Example Scenarios for Authentication Source Access Rules and Policy Combinations

The following example scenarios demonstrate the effect of policy combination options on sets of authentication source access rules. The examples use the IP:Netmask format for expressing IP address ranges.

Note:  The access rules and their order are identical in the first three examples. In the fourth (final) example, rule 3 is moved up to be the first rule evaluated, demonstrating how the order of rules helps determine access control when using the First Applicable policy combination option.

This example shows the effect of the Deny Overrides policy combination.

              
Authentication Source Access Rules Effect of Deny Overrides Policy Combination

Allow From IP_RANGE 10.0.0.0:255.0.0.0

Allow From IP_RANGE 192.168.0.0:255.255.0.0

Deny From IP_RANGE 0.0.0.0:0.0.0.0

All users are denied access because IP range 0.0.0.0:0.0.0.0 matches all IP addresses.

This example shows the effect of the Allow Overrides policy combination.

              
Authentication Source Access Rules Effect of Allow Overrides Policy Combination

Allow From IP_RANGE 10.0.0.0:255.0.0.0

Allow From IP_RANGE 192.168.0.0:255.255.255.0

Deny From IP_RANGE 0.0.0.0:0.0.0.0

Only users within IP address ranges 10.0.0.0:255.0.0.0 and 192.168.0.0:255.255.255.0 are allowed access. All other users are denied.

These examples show the effect of the First Applicable policy combination.

                  
Authentication Source Access Rules Effect of First Applicable Policy Combination

Allow From IP_RANGE 10.0.0.0:255.0.0.0

Allow From IP_RANGE 192.168.0.0:255.255.255.0

Deny From IP_RANGE 0.0.0.0:0.0.0.0

Only users within IP address ranges 10.0.0.0:255.0.0.0 and 192.168.0.0:255.255.255.0 are allowed access. All other users are denied.

Deny From IP_RANGE 0.0.0.0:0.0.0.0

Allow From IP_RANGE 10.0.0.0:255.0.0.0

Allow From IP_RANGE 192.168.0.0:255.255.255.0

All users are denied access because IP range 0.0.0.0:0.0.0.0 matches all IP addresses. No other rules are evaluated.

 

 

You are here
Table of Contents > Identity Providers > Restricting Access to Automated IdPs Using Authentication Source Access Rules

Attachments

    Outcomes