March 12, 2018 at 6:24 pm #21182NavParticipant
I configured an Authentication chain with a combination of DataStore+OTP+AdaptiveAuthentication modules. However, I am using only “IPAddress Range” in adaptive authentication module.But the module is not really evaluating the SourceIP address of the client. The module is successful even when I tried to access this from a different IP address that is not specified in IPAddress range and resource is served.
Does this “Adaptive module with IP Address Range check” need any additional configuration to work properly?
PS: I am using OpenAM 13.0 for this use case.
NavMarch 13, 2018 at 3:39 am #21188grkParticipant
Is your OpenAM behind load balancer or proxy? If yes, make sure LB/Proxy passing X-Forwarded-For header to get client IP. Also, add com.sun.identity.authentication.client.ipAddressHeader to X-Forwarded-For under Deployment > Servers > Server Name > Advanced
If it is not behind LB/Proxy, make sure range set properly in one of the below formats
1. X.X.X.X/YY OR
Thanks,March 13, 2018 at 9:26 pm #21193NavParticipant
Thanks for your reply. The issue is basically due to misconfiguration of the Risk score.I have just enabled only “IP Address range” check and have risk score to be incremented by 1. But the overall Risk threshold is set to 3 which is not meeting by just one failure. I have correct the Risk Threshold score and now it works fine.
NavMarch 14, 2018 at 4:53 am #21196grkParticipant
Glad you figured it out. Thanks for sharing.
You must be logged in to reply to this topic.