Restricting Access to Automated IDR SSO Agent IdPs Using Authentication Source Access RulesRestricting Access to Automated IDR SSO Agent IdPs Using Authentication Source Access Rules
An IDR SSO Agent IdP that is configured for automatic use (see Authentication Sources) can filter user access using authentication source access rules. You create these rules by setting ranges of IP addresses that SecurID uses to allow or deny access to the particular IdP for automatic authentication. Only users within allowed IP address ranges can initiate automatic authentication using the configured IdP.
Rule EvaluationRule Evaluation
SecurID evaluates authentication source access rules using eXtensible Access Control Markup Language (XACML). XACML lets you combine multiple access rules by using policy combination options to control rule evaluation.
| Policy Combination Option | Description |
|---|---|
| Deny Overrides | (Default) Deny takes precedence over allow. Rule processing stops as soon as a deny is matched. This is the most restrictive option. |
| Allow Overrides | Allow takes precedence over deny. Rule processing stops as soon as an allow rule is matched. This is the least restrictive option. |
| First Applicable | Rule processing stops as soon as any rule is matched. |
If an IdP is prioritized above Portal in the authentication sources list, and the authentication source policy uses the First Applicable policy combination, the policy automatically redirects application portal users to the IdP even if they do not explicitly match any criteria in the policy. To explicitly deny users from all IP addresses, add a rule to the bottom of the authentication source policy. If a user does not match any Allow Overrides rules in the policy, this rule prevents them from being redirected to the IdP.
Example Scenarios for Authentication Source Access Rules and Policy CombinationsExample Scenarios for Authentication Source Access Rules and Policy Combinations
The following example scenarios demonstrate the effect of policy combination options on sets of authentication source access rules. The examples use the IP:Netmask format for expressing IP address ranges.
Note: The access rules and their order are identical in the first three examples. In the fourth (final) example, rule 3 is moved up to be the first rule evaluated, demonstrating how the order of rules helps determine access control when using the First Applicable policy combination option.
This example shows the effect of the Deny Overrides policy combination.
| Authentication Source Access Rules | Effect of Deny Overrides Policy Combination |
|---|---|
|
Allow From IP_RANGE 10.0.0.0:255.0.0.0 Allow From IP_RANGE 192.168.0.0:255.255.0.0 Deny From IP_RANGE 0.0.0.0:0.0.0.0 |
All users are denied access because IP range 0.0.0.0:0.0.0.0 matches all IP addresses. |
This example shows the effect of the Allow Overrides policy combination.
| Authentication Source Access Rules | Effect of Allow Overrides Policy Combination |
|---|---|
|
Allow From IP_RANGE 10.0.0.0:255.0.0.0 Allow From IP_RANGE 192.168.0.0:255.255.255.0 Deny From IP_RANGE 0.0.0.0:0.0.0.0 |
Only users within IP address ranges 10.0.0.0:255.0.0.0 and 192.168.0.0:255.255.255.0 are allowed access. All other users are denied. |
These examples show the effect of the First Applicable policy combination.
| Authentication Source Access Rules | Effect of First Applicable Policy Combination |
|---|---|
|
Allow From IP_RANGE 10.0.0.0:255.0.0.0 Allow From IP_RANGE 192.168.0.0:255.255.255.0 Deny From IP_RANGE 0.0.0.0:0.0.0.0 |
Only users within IP address ranges 10.0.0.0:255.0.0.0 and 192.168.0.0:255.255.255.0 are allowed access. All other users are denied. |
|
Deny From IP_RANGE 0.0.0.0:0.0.0.0 Allow From IP_RANGE 10.0.0.0:255.0.0.0 Allow From IP_RANGE 192.168.0.0:255.255.255.0 |
All users are denied access because IP range 0.0.0.0:0.0.0.0 matches all IP addresses. No other rules are evaluated. |
Default Rule Default Rule
The default rule allows all users access to automatic IdP authentication. SecurID applies the default rule in both of the following cases:
-
You do not specify any access rules. For example, if you configure the Deny or Allow Overrides policy combination without access rules, then all users are permitted access from all IPs.
-
You specify access rules but the user does not match the rules.
The following examples show results when the default rule is applied and no users match the access rules.
| Authentication Source Access Rules | Results of Deny or Allow Overrides Policy Combination with No Rule Matches |
|---|---|
| Deny From IP_RANGE 172.0.0.0:255.0.0.0 | All users are permitted access except the users from IP range 172.0.0.0:255.0.0.0, even though an explicit Allow Access rule is not defined. |
| Deny From IP_NOT_IN_RANGE 172.0.0.0:255.0.0.0 | Only users from IP range 172.0.0.0:255.0.0.0 are permitted access, even though an explicit Allow Access rule is not defined. |
|
Allow From IP_RANGE 10.0.0.0:255.0.0.0 Deny From IP_RANGE 172.0.0.0:255.0.0.0 |
Users from IP range 192.168.0.0:255.255.0.0 are permitted access even though no explicit rule matches. It also implies that users from any IP range except 172.0.0.0:255.0.0.0 are permitted access. |
Related Concepts
Related Tasks
Add a SAML Version 2 SSO Agent Identity Provider
Add Authentication Source Access Rules
Reorder Authentication Sources
Delete an Authentication Source
Related References
