IBM Security Join our 16,000+ members as we work together to overcome the toughest challenges of cybersecurity. Join the Community
We have currently configured "client-identifier = CLIENT_IP" which works and is required due to security compliance.
But after integrating Outlook with ISAM we are facing issues where the user changes his network he has to close and login again in Outlook since the IP gets changed due to the user hoping on multiple networks.
May I know if there is any way we can bypass IP validation for specific applications?
Unfortunately there is no way to bypass client verification for specific applications/URLs. It is a global setting.
Scott A. Exton Senior Software Engineer Chief Programmer - IBM Security Verify Access IBM Master Inventor
Thank you Scott for the update.
Hi @Scott Exton,
Right now we are stuck with the Outlook application due to the behavior of IP getting changed due to the user connecting to different access point and Verify access shows error 403.
Is there any way I can clear the session of the user from DSC post-authentication?
Or is there any other way I can remove the user session once the token is passed to the application?
What do you mean by 'clear the session of the user'? Are you talking about a complete logout of the user session so that they are forced to authenticate again?
Yes, once the session is created and SAML token is passed to the application then want to logout user , so that if there is any change in IP address user will be challenged with authentication.
There are numerous ways available to programmatically log out a user (e.g. if you are using the DSC you can issue a DSC administration request, otherwise you can use pdadmin or an EAI) – however, I don't fully understand how this is going to help you? Are you suggesting that you want to provide the user an opportunity to log in again when their IP address changes, rather than returning a 403?