How to enable Dynamic IP blocking with WSTrust

    Applies to:
  • SecureAuth Identity Platform
  • Legacy SecureAuth IdP
Deployment model:
  • Cloud
  • Hybrid
  • On Premises
  • Version Affected:  20.06 onwards


    Newer versions of SecureAuth come with Dynamic IP blocking. This can be enabled in a New Experience policy or manually with a Web Config edit on classic realms.






    Activating Dynamic IP blocking is easier in the New Experience as you simply add it to a Policy. 

    It is achievable in Classic with the following steps. 

    1. In the New Experience, click on IP filtering to set the length of time and the number of failed login parameters. These settings are global and apply to any realm that has Dynamic IP blocking enabled
    2. For new experience realms, you simply add Dynamic IP to the Policy
    3. For a Classic realms, decrypt the web.config
    4. Add the following key in the AppSettings section

    <add key="IPBlockingServiceEnabled" value="True" />
     5. Now search for State1 within the web.config to get to the Adaptive Auth settings
    Replace the current settings as follows
    <analyzeEngine enabled="true" beginState="State1">
         <state name="State1" type="SecureAuth.AnalyzeEngine.State.AdaptiveIpBlockState"
           category="PostAuthenticationState" requireUserId="false" enabled="true">
             <constraint name="C1" key="adaptiveipblock" action="in">
                 <transition on="true" to="HardStop" />
                 <transition on="false" to="next" />
                 <transition on="unavailable" to="next" />
                 <transition on="ipv6" to="HardStop" />
    6. Finally, in the WSTrust Blocking section of the Post Auth tab, select the Checkbox for "Use Adaptive Authentication for initial IP Blocking"
    7. Click Save





    SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.

    Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.

    0 out of 0 found this helpful



    Please sign in to leave a comment.