Web Agent IP whitelisting in Authentication Scheme and Policy
search cancel

Web Agent IP whitelisting in Authentication Scheme and Policy


Article ID: 189478


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On Agents (SiteMinder) CA Single Sign On Federation (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) SITEMINDER



When running a Web Agent, how to authorize access to the Form
Authentication Scheme by IP of the calling browser ?




Web Agent 12.52SP1CR10 on Apache 2.4




At first glance, SiteMinder offers that feature to be applied in a
given Policy (1) only. You can define the Host, subnet, Ip ranges
allowed to access the resource after Authentication. It's based on
browser IP.

To restrict access before Authentication, each Web Server has its own
mechanism to be implemented. Here's a thread where it has been
discussed the similar issue (2). This can be done at the Web Server
level (3)(4).

Further, there's a functionality to limit which Web Agent IP can
access a given Authentication Scheme (5). This applies to the Web
Agent or Agent IP. This doesn't apply to the Browser IP. This feature
is available from 12.8SPx Policy Server only (6).

So to block access to a given Authentication Scheme by the Browser IP,
configure the Web Server or implement a Custom Authentication Scheme
with specific custom code to verify the Browser IP.


Additional Information



    IP Restriction Group Box

      Single Host

Indicates a restriction that is based on a single IP
address. You can add multiple IP addresses using this option.

IP Address

  Specifies the IP address of the single host.



    Manadge IP white list with CA Access Gateway


    Access Control


    IIS 8.0 Dynamic IP Address Restrictions


    Authentication Scheme Level IP Allowlisting

    5. Select one of the following Authentication Scheme Types that the authentication scheme level IP allowlisting supports:

       X509 Client Cert Template
       X509 Client Cert or Basic Template
       X509 Client Cert or Form Template
       Windows Authentication Template
       Custom Template

       Note: IP allowlist is available for limited set of authentication templates



    Release Comparison

     IP Allowlisting, at Authentication Scheme Level, allows you to
     restrict access by validating the Agent IP address against a list of
     permitted IP addresses.