By: Alex Muchiri user 22 Sep 2020 at 10:33 a.m. CDT

3 Responses
Alex Muchiri gravatar
I want to setup SSO with Gluu, where I will use RBAC to determine what user can access what resource in my organisation. I already have IP-based authentication for some sensitive services such as the admin portal, which can only be accessed from a VPN. I am worried I may have to lose this security if I setup Gluu as my authentication method. Is there a way I can configure my Gluu server to filter out traffic, say to my admin resources based on an IP address?

By Michael Schwartz Account Admin 22 Sep 2020 at 12:58 p.m. CDT

Michael Schwartz gravatar
You will probably need some kind of HTTP proxy like [mod_auth_openidc](https://github.com/zmartzone/mod_auth_openidc), where you could do something like ``` <Location /user> AuthType openid-connect Require claim scope:user Require claim scope:admin Require valid-user </Location> <Location /admin> AuthType openid-connect Require claim scope:admin OIDCUnAutzAction auth OIDCPathScope admin Require valid-user </Location> ``` And then you'd have to make sure that only the admin users get this scope. This could perhaps be accomplished with a Gluu Server dynamic scope script. In terms of IP Address, you have the remote IP in the authentication context. See the [allowed country script](https://github.com/GluuFederation/oxAuth/blob/master/Server/integrations/allowed_countries/allowed_countries.py). So the answer is yes... but it will require some creativity, and some knowledge about how to use the Gluu Server interception scripts effectively. If you test a working solution, please post it here for the communities' benefit!

By Alex Muchiri user 22 Sep 2020 at 2:12 p.m. CDT

Alex Muchiri gravatar
From what I understand, this seems like something that is to be implemented at the web-server level, but I'll need to trade-off the fact that a hacker could steal and successfully obtain an access token, but my web-server will not allow since they are not using the correct IP. It is a bit of a trade-off because I had isolated admin resources from other user resources, and that included the login.

By Michael Schwartz Account Admin 22 Sep 2020 at 2:18 p.m. CDT

Michael Schwartz gravatar
First of all, SSO does not work with an access token--it uses the session cookie in the browser. Second, the Authorization Server is not in the web flow. To enforce policies on web sites, you need something that is between the browser and the web site you are protecting. An IDP or OAuth Authorization server is not what you think. You may want to read my book [Securing the Perimeter](https://gluu.co/book)