Edit Authorizations

Follow

Authorizations define the additional parameters (after the Client is Authenticated) that determine whether this client has access to the resources.  

Schemes

Field Description
Authentication Scheme Defines which Authentication Methods are available for this Service Provider, and which Identity Providers can service each (with which Authentication Context)
Default Method Comparison

If the Service Provider does not specify a comparison in the request, this default comparison will be applied.

  • If Comparison is set to "exact" or omitted, then the resulting authentication context in the authentication statement MUST be the exact match of at least one of the authentication contexts specified. 
  • If Comparison is set to "minimum", then the resulting authentication context in the authentication statement MUST be at least as strong (as deemed by the responder) as one of the authentication contexts specified. 
  • If Comparison is set to "better", then the resulting authentication context in the authentication statement MUST be stronger (as deemed by the responder) than any one of the authentication contexts specified. 
  • If Comparison is set to "maximum", then the resulting authentication context in the authentication statement MUST be as strong as possible (as deemed by the responder) without exceeding the strength of at least one of the authentication contexts specified.
Default Method If the Service Provider does not specify an Authentication Method (amr/acr) in the request, this default comparison will be applied.

Context

Time

Allows a time slot can be specified to restrict access to this  Service Provider. This is specified in 24 hour time and is open 24 hours a day by default. A start and end time can be specified by dragging the handles. The blue highlighted segment is when the SP can be accessed.   For instance the SP is accessible from 6 in the morning to 6 in the  evening in the image below.

IP Address

The range of IP addresses that can gain access to this ServiceProvider (white listing).

If no IP ranges are defined, all IP's will be allowed.

Authentication Rule

An Attribute/Authentication rule can be specified to allow/restrict  access to this Service Provider dependant upon the attributes of the  authenticated user.  Any number of conditions can be specified and one complex condition, being a nested sub-set of attribute conditions, can be specified per Service Provider. 

More information: here

Application Rule

Application Rules are only available in the case the Service Provider type is "API" or "Proxy"

Each rule is defined for a specific Resource Location. To add a new resource location, and its corresponding rules, click "Add New URI Resource" in the top right corner.  You will now need to provider the following items:

URI

The location(s) of the resource (Service Provider) that is being accessed.  

HTTP Method

Defines the HTTP operations that will be allowed.

  • GET:  Access to read the resources
  • POST:  Access to create new resources
  • PUT:  Access to update/replace existing resources
  • DELETE:  Access to remove resources

Policy Statements

Here you can define an amount of complex policies. Every check can result in:

  • Allow access
  • Deny access
  • Require user re-authentication
  • Require step-up authentication (Authenticate with a stronger Authentication Method).
Have more questions? Submit a request

Comments