Country Restriction and Geo-velocity Do Not Restrict Access Properly

    Applies to:
  • Legacy SecureAuth IdP
Deployment model:
  • On Premises
  • SecureAuth IdP Version affected: All versions 9.0.2 and earlier

    Description: When configuring a realm's the Adaptive Authentication tab for Country Restriction and/or Geo-velocity, users are authenticated regardless of what Country List Deny/Allow permissions are in place.

    The debug file for the realm should list an Analyze Engine error that says something along the lines of "GeoLocation cannot be validated with /msg encryption"
    To further validate that this is the issue, the realm can be tested against a Restriction Type: IP Restriction, Adaptive Authentication configuration. If the IP of the local server is set to Deny, and launching the realm from the server causes the configured Failure Action as intended, then it's likely the /msg encryption that's issue. 

    Cause: Certain network setups (load-balancers, proxies, firewalls, etc.) can interfere with Adaptive Authentication Analyze Engine's ability to reach the GeoLocation endpoint through /msg protocol. The Analyze Engine needs to reach this endpoint in order to validate the IP addresses of users against the Country List that's in our cloud.

    As an alternative, this endpoint can be changed to a SSL protocol, through the realm's web.config file--SecureAuth#.

    Admin Console ->  Admin Realm -> SecureAuth# -> System Info(tab) -> Click to edit Web Config file(displayed at page bottom)

    - With (Ctrl+F), search for two key values wse3IP and wse3IPEvaluation.


    - Set these two values from True to False and click Save.


    Then test and see your results.

    0 out of 0 found this helpful



    Please sign in to leave a comment.