cancel
Showing results for 
Search instead for 
Did you mean: 

Configure SAML to use different auth method depending on source?

SOLVED
Mumford_
New Contributor

Configure SAML to use different auth method depending on source?

We have SAML configured now (with Google and Box.net, and some others) using RSA auth.  Is it possible to configure it such that if the user is coming from our internal network (easily distinguished by RFC1918 addresses), that they will use LDAP auth instead, but still use RSA if coming from external?  Users balk at the idea of having to use their RSA fobs when in the office at their desk, and I agree.

1 ACCEPTED SOLUTION

Accepted Solutions
jayLaiz_
Super Contributor

Re: Configure SAML to use different auth method depending on source?

Hi,

 

You can ,map the sign in URL to 2 REALMS (saml and LDAP) sand apply source IP restrictions under the role

 

So if user's source IP matches the internal network, they get access to LDAP authenticated REALM.

 

You can test this.

 

In SAML realm, allow users to sign in from any ip address

In LDAP REALM, allow source IP for internal network

 

 

The challenge is that user coming from internal network can see both REALMS when logging in unless in SAML realm, you are able to enter the source IP 's of all the networks from which users may come in under source ip restrictions and deny the internal subnet.

 

Regards,

Jay

 

View solution in original post

2 REPLIES 2
Mumford_
New Contributor

Re: Configure SAML to use different auth method depending on source?

This actually works well.  The Realm chooser appears when the user is connecting internally, but we can just direct the user to ignore that.

The problem now is the login page itself.  Since the login page is chosen based on the URL, not on the REALM, I can't configure it to say "RSA PIN" in place of Password when the realm is RSA.

jayLaiz_
Super Contributor

Re: Configure SAML to use different auth method depending on source?

Hi,

 

You can ,map the sign in URL to 2 REALMS (saml and LDAP) sand apply source IP restrictions under the role

 

So if user's source IP matches the internal network, they get access to LDAP authenticated REALM.

 

You can test this.

 

In SAML realm, allow users to sign in from any ip address

In LDAP REALM, allow source IP for internal network

 

 

The challenge is that user coming from internal network can see both REALMS when logging in unless in SAML realm, you are able to enter the source IP 's of all the networks from which users may come in under source ip restrictions and deny the internal subnet.

 

Regards,

Jay

 

View solution in original post