Allowing Only Network Users to Access Custom Single Sign-On (SSO) Applications in SailPoint IdentityNow

Authenticated users of IdentityNow can be prevented from launching “custom” Single Sign-On (SSO) applications if they are not on the corporate network. Only users who are identified as being on the network will have access to the custom Apps.

There are two steps required to configure this capability, Custom App Definition and Network Settings:

Configuring Custom App Definition

Log on as an Administrator, navigate to Admin > Applications > Custom App > Settings > Advanced Configuration > Edit

Click “Edit” button, locate the sso tag within the XML app definition and then manually edit the configuration setting offNetwork to supported=’false’ as shown  below

<sso name='Custom App 1' enableSso='true' ssoMethod='SAML' importAction='overwrite'>
    <description>This is a placeholder App for testing</description>
    <offNetwork supported='false'/>

Click “Save” button when done.

Configuring Network Settings

While still logged in as an Administrator, navigate to Admin > Global > System Settings > Network Settings > Network Definitions

Populate into the field provided in the screenshot above with the IP address ranges for your corporate network and press the “Save” button when completed.

Click “Add” button to add as more IP ranges as may be required.

Any user attempting to launch a custom App outside of these IP ranges will be denied access. This completes the configuration.

Sample Launchpad Display for Blocked Users

When a user authenticates into IdentityNow and they are not on the corporate network, the below screenshot displays how the App icon will display for them. They will not be able to launch the App.