Symantec Access Management

  • 1.  IP based authentication

    Posted Jan 31, 2017 06:47 PM

    Hello everyone, We would like to implement a authentication scheme based on IP address. For ex: If a user is coming from internet, we would like the auth scheme to be Form based, if the user is on internal network auth scheme should be IWA/kerberos. Is it possible to implement this OOTB using SPS/Policy server combo? Or Do I need custom solution with SDK? We are running latest versions of SiteMinder components. Thanks in advance.



  • 2.  Re: IP based authentication

    Broadcom Employee
    Posted Jan 31, 2017 07:12 PM

    Hi Sam

     

    The best answer for failoverr to HTML that I've seen is this style of one : 

     

    Windows IWA Failover to HTML Form Login.docx 

     

    It's not SPS just IIS agent and server however.  Effectively the process is the .asp page only has permission to access the included xml resource if the user has valid NTLM credentials. If it does they are redirected to NTLM auth, otherwise they are redirected to the forms auth.

     

    Previously, I've implemented a simpler method, but my jsp page would check the client IP address range - if you do need it on the SPS machine, you could do that and deploy the checking .jsp page in the tomcat engine. 

     

    Resource is protected by CheckIPAuthScheme

    my jsp page that checks range, then redirects to the following, with handling to pass the query parameters accross. 

     

    Child Auth schemes with same level of protection as the CheckIPAuthScheme : 

        IWAAuthScheme

        FORMAuthScheme

     

    The trick is a forms auth is just a 302 redirect to a page, that page does not need to directly be the "auth" scheme it can just be a front end that then redirects to the real auth scheme. 

     

    Cheers - Mark

     

    PS;  Alsolooks like it is planned to be included in R12.7 : 

    IWA Login with Forms Fallback