IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  IBM Verify Identity Access - Allow authentication only from IP addresses

    Posted 29 days ago

    Hi,

    We have implemented a SP initiated SAML2 for one of client applications, we have a requirement that to allow authentication if request comes from particular ip addresses only, otherwise reject access.

    I have created a POP, added ip addresses in "IP Auth" (authentication level 0) and attached to Protected Object (/WebSEAL/<fqdn-wrp>/isam/sps/<idp>), but once enter username and password in login screen, it shows forbidden error. Do you have any clue?

    And please guide us what is the best way to implement above requirement?

    Thanks

    Regards

    SK



    ------------------------------
    Someswara Reddy Karem
    ------------------------------


  • 2.  RE: IBM Verify Identity Access - Allow authentication only from IP addresses

    Posted 29 days ago

    Hello Someswara,

    By default the Reverse Proxy sees the 'IP address' of the 'Client' as the IP that is directly connecting to the Reverse Proxy instance. If you are going through an Ingress point to get to your Reverse Proxy such as a load balancer or other intermediary device this can cause issues with authorization decisions.

    Later versions of IVIA and ISVA allow for the following entry to be used:

    # The following configuration entry is used to define the name of the HTTP
# header which contains the IP address of the client.  This IP address will be
# used as the client address in authorization decisions and auditing records.
# If no HTTP header is configured, or the configured HTTP header is missing
# from the HTTP request, or the contents of the HTTP header are incorrect,
# the client IP address of the connection itself will be used.
#
# For example:
#   client-ip-http-header = X-Forwarded-For
#
# client-ip-http-header =

    You'll want to set this up to allow the Reverse Proxy to use the actual client IP address for the POP decisions instead of the IP address of the device immediately connecting to the Reverse Proxy instance.

    This has been in the product since 10.0.1.0.

    If you're going to use an HTTP Header such as the 'X-Forwarded-For' header you need to make sure the devices in front of the Reverse Proxy instance are always sending that header or else the Reverse Proxy will revert to default behavior when that header is missing.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 3.  RE: IBM Verify Identity Access - Allow authentication only from IP addresses

    Posted 28 days ago

    Thanks Jack for your prompt response. After adding X-Forwarded-For header, it works as expected. 



    ------------------------------
    Someswara Reddy Karem
    ------------------------------

    Original Message


Related Content