IP Restrictions with Federation Manager vs. IP Restrictions with Federation Web Services

Document ID : KB000030413
Last Modified Date : 14/02/2018
Show Technical Document Details

IP restrictions within Federation Partnership allows you determine a restriction applicable for a policy or affiliate configuration. For example, a policy can apply only to a server at a specific IP address or host name. So, administrator can specify the server(s) that will be allowed to federate.

With CA SiteMinder Federation Manager and CA SiteMinder Secure Proxy Server as Federation Gateway, the client IP address is passed along for authorization call by default. Policy Server will then perform the time, IP and user policy restrictions checking.

Following will be logged in Policy Server trace if IP address does not match up:

=========================================================================================================================

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:778][CSmAz::TestPolicy][][][][][][][][Enter function CSmAz::TestPolicy]

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:797][CSmAz::TestPolicy][samlsp:federation1toservicelab][][][][][][][Evaluating policy...]

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:831][CSmAz::TestPolicy][samlsp:federation1toservicelab][][][][][][][Policy is blocked by IP address]

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:833][CSmAz::TestPolicy][][][][][][][][Leave function CSmAz::TestPolicy]

[04/09/2015][20:02:48][3488][][SmAuthorization.cpp:1731][CSmAz::IsOk][samlsp:federation1toservicelab][][][][][][][Policy is not applicable. Skipped.]

=========================================================================================================================

 

However, with CA SiteMinder Federation Web Services (implemented with Webagent Option Pack), IP checking feature is disabled by default. Hence, IP restrictions do not apply until administrator update either of the following ACO parameter accordingly, depending on whether persistent cookie or transient cookie is being used:

 

  • If you enabled PersistentCookies, set PersistentIPCheck to yes.
  • If you did not enable PersistentCookies, set TransientIPCheck to yes.