Roaming Authentication allows an admin to configure when “roaming authentication” will be offered to a user during an authentication flow. Note that this can also be configured in policy, which has the final say (because it will ultimately allow or deny the authentication). Roaming authentication must be both enabled and allowed by policy (because it will ultimately allow or deny the authentication) for successful authentication.
Each tenant has a roaming authentication configuration that applies to all authentication flows for that tenant’s users (OIDC, SAML, and WS-Fed).
To configure roaming authentication
- Go to Settings > Tenant in the console and scroll down to Authentication Options.
- Click the Edit icon and enable Roaming Authentication.
- Modify the following as needed:
Option Description IP Include List
This option checks the “remote IP” of the user agent against allowed IPs.
- All IPs (the default)
Specified IP lists - References one or more named IP address lists.
Note: Named IP address lists are recommended because they can more easily be kept in sync with policy rules that reference the same attribute lists.
- Specified IP address - Specify inline IP addresses. The maximum number of user groups allowed is 10. If you need more than 10, consider using an IP address list.
If you select any option other than All IPs, roaming authentication will only be offered to users who begin their authentication from a valid IP address.
IP addresses can be specified as:
- A single IP address (e.g. 192.168.0.3 or 2001:db8::68)
- IPv4 and IPv6 are both accepted for any of these values.
- A Classless Inter-domain Routing (CIDR) block (e.g. 192.0.2.0/24 or 2001:db8::/32)
- CIDR blocks define an IP address and prefix length, as defined in RFC 4632 and RFC 4291.
- An IP range (e.g. 192.168.0.1-192.168.0.5)
- Ranges are defined as two IP addresses separated by a single '-' character.
- Ranges are inclusive.
- IP addresses in the same range must use the same IPv4 or IPv6 format.
- The first IP address in the range must have a smaller value than the second IP address in the range.
User Group Include List
This option guesses the username before authenticating and checks that the user is in an allowed group.
- All user groups (the default)
- Select user groups - Select one or more user groups from the list. The maximum number of user groups allowed is 10.
Because this decision is made before authentication, determining the groups that a user belongs to is an approximation. This is based on optional “login hints” that may be provided during authentication:
- login_hint parameter provided in OIDC or WS-Fed requests
- username parameter provided in WS-Fed requests
Note: “Login hint” refers to either of these parameters because they both provide a “hint” for us to determine which user is attempting to login.
WS-Fed supports both of these parameters, and it's possible that they are both provided in the same authentication request and contain different values. If different values are provided in a single request, each login hint will be used to search the directory and roaming authentication will be offered if either returns a user that belongs to one of the specified groups.
The following search is performed in the tenant’s directory if this configuration is used and a “login hint” is provided:
- user name matches the login hint (case insensitive)
- email address that matches the login hint (case insensitive)
- email address where the "local" part matches the login hint (i.e. login.hint matches email@example.com or firstname.lastname@example.org)
If no user is returned from this search, or more than one user is returned, the authentication request is handled as an “unknown user.” This means that if, for example, there are multiple users in the directory with the same user name or email address, the login hint will be ambiguous and roaming authentication will not be offered.
If neither “login hint” parameter is provided in a given authentication request, the user is always treated as “unknown,” and therefore can’t belong to any of the specified groups. These parameters exist only in OIDC or WS-Fed, so all SAML authentication requests are handled as an “unknown user.”
It should be noted that this feature can add some additional latency to authentication requests (because of the searching required) so should be avoided by tenants that have very strict latency requirements during authentication.
Note: Allowed IP addresses and allowed user groups can be set independently. If both are selected, logic will be combined using AND (i.e. the IP address AND the user group must be “allowed” for Beyond Identity to offer roaming authentication).
- Click Save Changes.
Note: When enabling roaming authentication, please review policy rules that include authentication transactions because they may also impact the roaming authentication method.