Having difficulty configuring Adaptive Authentication policies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-04-2023 06:44 AM
Hi All!
We are considering moving from IP Address Restrictions to Adaptive Authentication for all the obvious reasons. But I am having some trouble getting it to do exactly what I want.
The scenario I am shooting for is as follows:
Pre-authentication:
Everyone can login to the instance from any IP (with appropriate credentials ofcourse). ✔️
Post-authentication:
Users located within a (set of) IP ranges are allowed ✔️
OR
Registered mobile devices are allowed to access the mobile app from anywhere ✔️
OR
Users with a certain role are allowed to login from anywhere✔️ (eg. for inbound REST API's)
This all works.
I would like to create a default deny on all inbound REST API's except for the users with the before mentioned role. At this moment It seems anyone with a valid account can access the REST API's. (eg. table API) .
this document:
mentions a global blocking policy for API's but I can only find a global blocking policy under authentication policies -> all policies, not a specific one for API.
What am I missing here?
Regards,
Frank
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-19-2023 11:38 PM
Thanks for the follow-up Randheer.
This will prevent us from having to create and maintain all these individual policies. We are having some issues with them currently but we are already working with Support on these.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-22-2023 06:32 AM
can anyone tell me how i use addaptive auth restrict a certain portal to only specific ip address while other is open to all to access
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
09-19-2023 02:45 PM - edited 09-19-2023 02:46 PM
My security configuration is very similar to yours, so I just wanted to weigh in with my experience as well.
I've done a significant amount of testing, and found that REST API traffic is only checked at the Pre-Auth policy level. After it has passed that, it doesn't even check the post auth policy at all. This is very confusing and misleading - but how it actually seems to work. You can verify this by using a REST API user without the role in the condition you mentioned.
For solving access to particular APIs, it seems like REST API Access Policy, and REST Endpoint ACLs would be the proper mechanism to configure as Randheer was mentioning.
Additionally, you can lock down entire tables via table config, and endpoints via Quota rules and other mechanisms.
