Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

EasySSO supports both whitelists and blacklists to allow you to control which client machines will be permitted to use single sign-on.

Info
titleImportant

If a client machine's IP is matched using the whitelist and blacklist, then it'll be treated as whitelisted.

Why do I need this?

If you have external users that don't use your internal AD, then you want to make sure to disable EasySSO for these users, as seamless SSO would fail and they would be prompted for username and password that would always fail.

You For example, you would normally disable EasySSO on a guest WiFi, as it's very unlikely that the guests would be using your internal credentials.

EasySSO also needs to be disabled on for automated solutions, for instance a wallboard reporting service, that uses a service account to authenticate itself.

If you are part of a large organisation with two sub-nets/divisions and if you didn't want to offer EasySSO to one, you can use filtering by IP sub-net.  For example, as a result of a merger, normally the separate domains would trust each other, and each would and users from one domain would be allowed to access the others services in another domain, and EasySSO would normally succeedSSO will succeed but if this is not the case IP Filtering will allow you to segment the network and offer SSO only to one domain.

 

Whitelist or blacklist client machines

EasySSO 4.0 +

  1. In the EasySSO configuration screen click NTLM/Kerberos.
  2. Click 'Advanced Configuration' on the top-right and switch to the 'IP Filtering Configuration' tab.

 

EasySSO prior to 4.0.0

  1. In the EasySSO configuration screen switch to the "IP Filtering Configuration" tab.

Create IP or hostname based rules (supports multiple rules, one per line)

Enter individual IP, IP ranges, networks (CIDR notation) or hostnames.

Image Modified

Info
titleImportant

If a client machine's IP is matched using the whitelist and blacklist, then it'll be treated as whitelisted.

Alternatively – use regular expressions

The whitelist and blacklist can also be configured using Java regular expressions, which allows an even more flexible way to define rules matching IP addresses.

Image Modified

Info
titleImportant

If a client machine's IP is matched using the whitelist and blacklist, then it'll be treated as whitelisted.

DNS Refresh Interval / Host based filtering rules:

For convenience, EasySSO allows hostnames to be specified in both whitelist and blacklist.  The actual filtering is done based on IP addresses, so EasySSO must look up the hostname in DNS before it can apply the filters.

EasySSO caches the results of the lookup to reduce the load on the DNS service and minimise delays associated with DNS lookups.  The DNS Refresh Interval defines how long the EasySSO should rely on the cached entires before it updates them from DNS.

 

Page Details Macro
titleEasySSO IP Filtering for NTLM and Kerberos

Document Macro
summaryDescribes how to configure the new tab "IP Filtering"
iconfile
titleIP Filtering

 

Purchasing Macro
linkhttps://marketplace.atlassian.com/plugins/org.techtime.confluence.plugins.search?query=%22EasySSO%22
titlePurchase from the Atlassian Marketplace

TechTimeEasySSO on Atlassian Marketplace

Documentation Area Macro
pageTECHTIME:EasySSO
titleEasySSO articles

 

Excerpt
hiddentrue
EasySSO IP filtering for EasySSONTLM and Kerberos