search cancel

Web Agent IP whitelisting in Authentication Scheme and Policy

book

Article ID: 189478

calendar_today

Updated On:

Products

CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER

Issue/Introduction

 

When running a Web Agent, how to authorize access to the Form
Authentication Scheme by IP of the calling browser ?

 

Environment

 

Web Agent 12.52SP1CR10 on Apache 2.4

 

Resolution

 

At first glance, SiteMinder offers that feature to be applied in a
given Policy (1) only. You can define the Host, subnet, Ip ranges
allowed to access the resource after Authentication. It's based on
browser IP.

To restrict access before Authentication, each Web Server has its own
mechanism to be implemented. Here's a thread where it has been
discussed the similar issue (2). This can be done at the Web Server
level (3)(4).

Further, there's a functionality to limit which Web Agent IP can
access a given Authentication Scheme (5). This applies to the Web
Agent or Agent IP. This doesn't apply to the Browser IP. This feature
is available from 12.8SPx Policy Server only (6).

So to block access to a given Authentication Scheme by the Browser IP,
configure the Web Server or implement a Custom Authentication Scheme
with specific custom code to verify the Browser IP.

 

Additional Information

 

(1)

    IP Restriction Group Box

      Single Host

Indicates a restriction that is based on a single IP
address. You can add multiple IP addresses using this option.

IP Address

  Specifies the IP address of the single host.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/using/administrative-ui/shared-dialog-reference/ip-restriction-group-box.html
    

(2)

    Manadge IP white list with CA Access Gateway
    https://community.broadcom.com/communities/community-home/digestviewer/viewthread?MID=767213
    

(3)

    Access Control
    https://httpd.apache.org/docs/2.4/en/howto/access.html
    

(4)


    
    IIS 8.0 Dynamic IP Address Restrictions
    https://docs.microsoft.com/en-us/iis/get-started/whats-new-in-iis-8/iis-80-dynamic-ip-address-restrictions
    

(5)

    Authentication Scheme Level IP Allowlisting

    5. Select one of the following Authentication Scheme Types that the authentication scheme level IP allowlisting supports:

       X509 Client Cert Template
       X509 Client Cert or Basic Template
       X509 Client Cert or Form Template
       Windows Authentication Template
       Custom Template

       Note: IP allowlist is available for limited set of authentication templates

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/configuring/policy-server-configuration/authentication-schemes/authentication-scheme-level-ip-allowlisting.html
    

(6)

    Release Comparison

     IP Allowlisting, at Authentication Scheme Level, allows you to
     restrict access by validating the Agent IP address against a list of
     permitted IP addresses.

    https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/siteminder/12-8/release-notes/release-comparison.html