You can use Access policies to create comprehensive rules, with multiple variables, to control who should be able to reach your secure resources. Some common examples can be found below.
For some applications, you might want users to both authenticate against your IdP and be on a specific network. You can use a single Access policy with multiple rule types to configure this requirement.
Step 1: IP Range Access Group We always recommend creating an Access Group for your IP addresses, even if you just have one address or range being used. Keeping this information in a single place makes it easy to modify once without having to edit each policy.
Start by creating a new Access Group. Use Include, rather than Require, for your rule. Include will define membership as originating from any of the IP addresses in this range. If you use Require, it will define it as originating simultaneously from all. Additional detail on how the logic behind decisions and rules can be found here
List the IP addresses or ranges in the Include rule that you want to define as a trusted network. Once added, hit save.
Step 2: Include Rule Create a policy and set the decision to “Allow”. In your Include rule, define the user criteria for allowing access to the target application. For example, set a rule that includes users with an email ending in your email domain.
Step 3: Require Rule Within the same policy, you can require that additional variables be met to reach the applicatoin. For this example, select the Access Group that represents the trusted network addresses that you need to require.
In this configuration, Access will only allow requests from users who authenticate with your email domain and are on one of the networks you specified in the Access Group.
Access can bypass traffic from a secure office network while allowing users away from the office to authenticate with your IdP. We recommend you use this setting only for less sensitive applications where you are confident that your office network is secure.
Step 1: Bypass Policy Create a policy and set the decision to “Bypass”. In your Include rule, select “IP Ranges” and input the IP range of your secure network. This policy will allow all traffic from this IP range to bypass Access; traffic from any other IP will not be able to reach the application.
Step 2: Allow Policy With your bypass policy set, any requests outside of the office will not be able to reach your application. If you want to allow users to connect while they are offsite, you’ll need an additional policy. Create a second policy and set the decision to “Allow”. Create an Include rule that permits users from your team’s email domain, or specific user emails, to reach the application.
When users are away, they’ll be able to authenticate with your configured IdP to reach the site. Users in your secure office network will not need to authenticate.