Layer 7 Access Management

IP Restrictions with Federation Manager vs. IP Restrictions with Federation Web Services 

04-13-2015 06:20 PM

CA Single Sign-On Tech Tip by Sau Lai Wong, Senior Support Engineer for 13th April 2015


IP restrictions within Federation Partnership allows you determine a restriction applicable for a policy or affiliate configuration. For example, a policy can apply only to a server at a specific IP address or host name. So, administrator can specify the server(s) that will be allowed to federate.

 

With CA SiteMinder Federation Manager and CA SiteMinder Secure Proxy Server as Federation Gateway, the client IP address is passed along for authorization call by default. Policy Server will then perform the time, IP and user policy restrictions checking.

 

Following will be logged in Policy Server trace if IP address does not match up:

=========================================================================================================================

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:778][CSmAz::TestPolicy][][][][][][][][Enter function CSmAz::TestPolicy]

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:797][CSmAz::TestPolicy][samlsp:federation1toservicelab][][][][][][][Evaluating policy...]

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:831][CSmAz::TestPolicy][samlsp:federation1toservicelab][][][][][][][Policy is blocked by IP address]

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:833][CSmAz::TestPolicy][][][][][][][][Leave function CSmAz::TestPolicy]

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:1731][CSmAz::IsOk][samlsp:federation1toservicelab][][][][][][][Policy is not applicable. Skipped.]

=========================================================================================================================

 

However, with CA SiteMinder Federation Web Services (implemented with Webagent Option Pack), IP checking feature is disabled by default. Hence, IP restrictions do not apply until administrator update either of the following ACO parameter accordingly, depending on whether persistent cookie or transient cookie is being used:

  • If you enabled PersistentCookies, set PersistentIPCheck to yes.
  • If you did not enable PersistentCookies, set TransientIPCheck to yes.

Statistics
0 Favorited
0 Views
0 Files
0 Shares
0 Downloads

Tags and Keywords

Related Entries and Links

No Related Resource entered.