To configure IP whitelists navigate to the ‘IP Whitelists’ page under the ‘Security’ menu, or use the direct link (https://admin.clearlogin.com/ip_whitelists).
To add a new IP whitelist rule use the ‘Add New IP Whitelist’ button labeled below.
By default accounts have an IP whitelist rule assigned to the default group that allows users to login from any source IP address.
IP whitelists user CIDR rules (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) to flag specific IP addresses or ranges of IP address to allow access to login with SSO. In conjunction with groups you can assign different sets of users different access permissions based on their group membership.
To add a new IP whitelist rule you need to know the source IP address (or IP range) and the group(s) that the rule should be assigned to. The rule can be created and assigned to the appropriate group(s) in a single step. A default name will be provided for each rule created or optionally the rule can be custom labeled.
A CIDR address contains two major components:
- The IP address - ex: 126.96.36.199
- The number of bits in the routing prefix - ex: 32
The number of bits in the routing prefix translate to a subnet mask which dictates how many bits in the 32-bit IP address are required to match and allow the user to login.
In the following examples:
- All 32 bits much match, meaning the user must be coming from this specific IP address.
- The first 24 bits must match, meaning that any address in the range 45.28.60.x matches the rule.
- The first 24 bits must match, meaning that any address in the range 45.28.x.x matches the rule.
- None of the bits need to match, and the user can come from any IP address. In this case the IP address that is specified is irrelevant since it is not being matched against. However a rule to allow a user form any IP address is generally written as 0.0.0.0/0 to avoid confusion.