This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Restrict SSO enabled Cloud Edge UI access for specific IP range

Posted on 09-19-2019 03:18 AM
Prashant819
Bronze 3
Bronze 3
Reply posted on --/--/---- --:-- AM

Hello, @Dino-at-Google

My question is around cloud edge UI access restriction from specific IP addresses/ranges.

I understand that all cloud edge organizations can be accessed with valid credentials through edge UI - which is accessible over public internet on a common url.

If organizations are SSO enabled, is there a way to restrict users to access Edge UI from office network only?

Thanks.

0 1 160
Topic Labels
0 Likes
1 REPLY 1

Posted on --/--/---- --:-- AM
dchiesa1
Staff
Reply posted on --/--/---- --:-- AM

With the Apigee SaaS service, you're correct: the management UI is available via public networks.

I'm not sure what's possible with your IdP, your identity provider. That system authenticates each user. We often think of the IdP as being very simple; the user provides a login and password., and the IdP validates those credentials. But I believe some IdPs can accept additional things for authentication, like a second factor, maybe a time-based one-time-password (TOTP) . And the IdP may also be able to enforce IP address restrictions for sign on. I think Okta does this.

Not sure about other IdPs.

In short, it woudn't be Apigee that enforces the network zone restriction; it would be the IdP.

OR, it could be that the IdP is configured to transmit the client's IP address to Apigee, acting as SP. I think ADFS does this. And it's possible, not sure, that Apigee might be able to validate the inbound IP assertion.

@arjavgoswami - have you got any input on this?

0 Likes