Is it possible to create a policy that restricts access to a web service *either* based on the client's IP address *or* based on client certificates? I'm not fully familiar with the TLS handshake details, but my guess is that such a requirement cannot be implemented in a single policy. While reasoning about this question, I also wondered...
- at which point exactly the policy "decides" to request a client certificate from the client. Is it correct that the decision to require a client certificate must be made before the TLS handshake takes place, so right from the start, before the first policy assertion is processed or even the Require SSL or TLS Transport assertion is processed?
- Supposed that this is true, does it matter anyway where the Require SSL or TLS Transport assertion is placed in the policy?
- Is there an alternative solution than building two different services, one that restricts access solely based on client IPs and a second one that does so based on (mandatory) client certificates?
Thanks in advance.
Kind regards, Christof