IP address ranges allow you to define the login options available to users accessing your portal from any device that falls within the specified IP address range. EmpowerID provides three IP address range types that you can configure. These include the Internal, External and Blacklisted ranges. When you create an IP address range, you choose the type and specify the beginning and ending IP addresses for that range. Once you create the IP address range, you can apply it to your login policies and any federated applications you may use. Example usages could include:
Configuring the login policy settings of a Password Manager policy to require users accumulate a specific number of multi-factor authentication trust points to access their accounts based on their IP address. You could require internal network users to accumulate one trust point while users outside of your network might need to acquire two or more points.
You could create an Internal IP address range for your network users and allow them to login using Windows authentication only.
If you have partner organizations using the EmpowerID Remote Windows Identity Provider to authenticate against your domain, you could create an IP address range for the public IPs for each of those partners, allowing their users to log in using the Remote Windows IdP only.
You could create an External IP address range for users outside of your network and give those users the option to choose to authenticate using EmpowerID forms auth, one or more trusted social media applications or a combination of both EmpowerID forms auth and social media logins.
You could create a range of known blacklisted IP addresses to deny users with those addresses from accessing your environment.
If you do not create any IP address ranges, EmpowerID treats all login attempts as originating from outside your network (external logins). This is important to note in the event your login policy requires multi-factor authentication and you have set the number of trust points differently for internal versus external users. In this case, EmpowerID would consider your network users to be external and require them to accumulate the trust points you set for external users.
Login options set on IP address ranges take precedence over login options set on IdP Domains. For example, if you create an IP address range for internal users and configure it to only allow Windows auth and create an IdP Domain for your internal network with login options for Windows auth as well as several social media logins, your internal users will not see the social media logins.
If an IP address belongs to two overlapping ranges, one of which is internal and the other external, EmpowerID considers the IP to be external.
To create IP Address Ranges
From the navigation sidebar, expand Single Sign-On > SSO Connections and click SSO Components.
On the SSO Components page, click the IP Address Range tab and then click the Add IP Address Range (+) button.
From the General tab of the IP Address Range Details form that appears do the following:
Type a name and display name in the Name and Display Name fields, respectively.
Select whether the range is an Internal Range, Blacklisted, or should include All IPs not within start and end range. In our example, we are creating an internal range.
Enter the starting IP address and the ending IP address in the Start IP Address and the End IP Address fields, respectively.
Optionally, click the Identity Provider type tabs and select each Identity Provider that you want to appear to users as a login option for the IP address range. Identity Provider type tabs include the following:
SAML Identity Providers — SAML identity providers are services that support SAML transactions for identity proofing and SSO. Examples include Windows authentication, the EmpowerID IdP and Smart Card authentication.
WS-Fed Identity Providers — WS-Fed identity providers are services that support the use of WS-Security tokens for identity proofing and SSO. A popular example includes Office 365.
OAUTH Identity Providers — OAuth identity providers are services that support the OAuth protocol for identity proofing. Popular examples include Social Media logins like Facebook, Twitter and LinkedIn.
In our example, we want network users to log in using Windows authentication only, so we have selected Windows from the SAML Identity Providers tab.
When ready, click Save to create the IP address range.