- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-15-2016 02:34 PM
Currently, we have our environment setup to use IP Address Access Control to only allow users that are on our network. We would like to open up our environment so people can get to it from anywhere, but if they are not on our network, it would require multi-factor authentication.
To do this, we were thinking:
1. Disable IP Address Access Control
2. Setup Muti-SSO and force all regular accounts to use this. We would then setup our SSO provider to force multi-factor authentication if the person was coming from an IP outside of our network.
3. Setup Multifactor Authentication and force the admin accounts to always use that.
The above would take care of everything but one account. We have an account that is used to make web-service calls to ServiceNow to create incidents from a third-party scheduling tool. Does anyone know a way to restrict it so this one account can only be used if the call is originating from our network IP? If not, that leaves this account open to a simple username/password guess from anywhere in the world. We can't setup this account as multi-factor since it is used for integration from one system to another. This account would only be used for calls between third-party systems and ServiceNow, within our network.
Solved! Go to Solution.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2016 01:07 PM
The solution that appears to work for this is:
1. Put in logic in an Installation Exit to evaluate the IP of the client. This logic takes care of all interactive logins. In the Installation Exit, the following code can be used to determine the IP of the user trying to connect:
var clientIP = gs.getSession().getClientIP().toString();
2. Put in logic in the BasicAuth script include to evaluate the IP of the client. This logic takes care of things like ODBC connections and SOAP calls. In the script include, the following code can be used to determine the IP of the user trying to connect:
var clientIP = GlideTransaction.get().getRemoteAddr().toString();
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2016 09:42 AM
It appears as though the code to alter is the BasicAuth Script Include. However, I can't seem to figure out a way to get the Client IP in this script. I have tried the following code (which works in the Installation Exit) with no success:
var clientIP = gs.getSession().getClientIP().toString(); //Get their IP address
Does anyone know how to get the Client IP in this script include, without using third-party sites, etc? We would like to be able to do it with native SN variables, functions, objects, etc.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-24-2016 01:07 PM
The solution that appears to work for this is:
1. Put in logic in an Installation Exit to evaluate the IP of the client. This logic takes care of all interactive logins. In the Installation Exit, the following code can be used to determine the IP of the user trying to connect:
var clientIP = gs.getSession().getClientIP().toString();
2. Put in logic in the BasicAuth script include to evaluate the IP of the client. This logic takes care of things like ODBC connections and SOAP calls. In the script include, the following code can be used to determine the IP of the user trying to connect:
var clientIP = GlideTransaction.get().getRemoteAddr().toString();
