Get a Quote

Articles in this section

See more

Configure multiple IDPs with Client Restrictions

  • Updated:

Introduction

The default login behavior is to display all available authentication methods when multiple IDPs are configured. This can be confusing for end users.

Resolve this by setting client restrictions. Client restrictions are conditional authentication methods, that can be shown or hidden, based on a combination of the following:

  • Network IP(s)
  • Browser/device-type

Scenario

Users on the organizational network, using domain-joined equipment, should be automatically logged in with integrated Windows authentication. Show only agent-based authentication for all other instances.

Show an IDP type

Navigate to Security > Authentication > Identity Providers and select an identity provider to configure, then the Client Restrictions tab at the left.

clientRestrictions.png

Show only ADFS as an option when on the organizational network by configuring a policy to be visible for access from the public-facing IP as well enabling device-type restrictions.

showOrgandDevice.png

Choose the action 'Show' and enable the toggles for both IP and source restriction.

Enter the IP address for the organization's public-facing IP. For multiple addresses, separate each with a comma.

Select the browser/device-types allowed to use this authentication method.

Save to return to the identity provider configuration tab.

Show an IDP for users on other devices

Show an agent-based authentication method for users that are on the organization's network but not using a configured device type in the above example.

Select the agent-based authentication from the identity providers pane.

showOrgOtherDevices.png

Choose the action 'Show' and enable the toggles for both IP and source restriction.

Enter the IP address for the organization's public-facing IP. For multiple addresses, separate each with a comma.

Select the browser/device-types allowed to use this authentication method. This example uses the devices not configured for ADFS authentication above.

Save to return to the identity provider configuration tab.

Hide an IDP by Network

Hide the agent when coming from the organizational network on any device type.

hideOrgandAll.png

Choose the action 'Hide' and enable the toggle for IP restriction.

Enter the IP address for the organization's public-facing IP. For multiple addresses, separate each with a comma.

Save to return to the identity provider configuration tab.