Allowing Only Network Users to Access Custom Single Sign-On (SSO) Applications in SailPoint IdentityNow
Authenticated users of IdentityNow can be prevented from launching “custom” Single Sign-On (SSO) applications if they are not on the corporate network. Only users who are identified as being on the network will have access to the custom Apps.
There are two steps required to configure this capability, Custom App Definition and Network Settings:
Configuring Custom App Definition
Log on as an Administrator, navigate to Admin > Applications > Custom App > Settings > Advanced Configuration > Edit
Click “Edit” button, locate the sso tag within the XML app definition and then manually edit the configuration setting offNetwork to supported=’false’ as shown below
<sso name='Custom App 1' enableSso='true' ssoMethod='SAML' importAction='overwrite'>
<description>This is a placeholder App for testing</description>
Click “Save” button when done.
Configuring Network Settings
While still logged in as an Administrator, navigate to Admin > Global > System Settings > Network Settings > Network Definitions
Populate into the field provided in the screenshot above with the IP address ranges for your corporate network and press the “Save” button when completed.
Click “Add” button to add as more IP ranges as may be required.
Any user attempting to launch a custom App outside of these IP ranges will be denied access. This completes the configuration.
Sample Launchpad Display for Blocked Users
When a user authenticates into IdentityNow and they are not on the corporate network, the below screenshot displays how the App icon will display for them. They will not be able to launch the App.