Authorizations define the additional parameters (after the Client is Authenticated) that determine whether this client has access to the resources.
|Authentication Scheme||Defines which Authentication Methods are available for this Service Provider, and which Identity Providers can service each (with which Authentication Context)|
|Default Method Comparison||
If the Service Provider does not specify a comparison in the request, this default comparison will be applied.
|Default Method||If the Service Provider does not specify an Authentication Method (amr/acr) in the request, this default comparison will be applied.
Allows a time slot can be specified to restrict access to this Service Provider. This is specified in 24 hour time and is open 24 hours a day by default. A start and end time can be specified by dragging the handles. The blue highlighted segment is when the SP can be accessed. For instance the SP is accessible from 6 in the morning to 6 in the evening in the image below.
The range of IP addresses that can gain access to this ServiceProvider (white listing).
If no IP ranges are defined, all IP's will be allowed.
An Attribute/Authentication rule can be specified to allow/restrict access to this Service Provider dependant upon the attributes of the authenticated user. Any number of conditions can be specified and one complex condition, being a nested sub-set of attribute conditions, can be specified per Service Provider.
More information: here
Application Rules are only available in the case the Service Provider type is "API" or "Proxy"
Each rule is defined for a specific Resource Location. To add a new resource location, and its corresponding rules, click "Add New URI Resource" in the top right corner. You will now need to provider the following items:
The location(s) of the resource (Service Provider) that is being accessed.
Defines the HTTP operations that will be allowed.
- GET: Access to read the resources
- POST: Access to create new resources
- PUT: Access to update/replace existing resources
- DELETE: Access to remove resources
Here you can define an amount of complex policies. Every check can result in:
- Allow access
- Deny access
- Require user re-authentication (Clears that part of the session and sets the "Force Authentication" parameter)
- Require step-up authentication (Authenticate with a stronger Authentication Method).