Introduction
By default, HelloID displays all available IdPs on the login screen when multiple IdPs are configured. This can be confusing for end users.
Resolve this by setting client restrictions. Client restrictions are conditional authentication methods that can be shown or hidden, based on a combination of the following:
- Network IP(s)
- Browser/device-type
Scenario
Users on the organizational network, using domain-joined equipment, should be automatically logged in with integrated Windows authentication. Show only agent-based authentication for all other instances.
Show an IdP
For this example, we'll configure HelloID to show our ADFS IdP on the login screen when users are logging in from inside the company network, using approved device types.
- Go to Security > Authentication > Identity Providers.
- Select an identity provider to configure. For this example, we'll select ADFS.
- Go to the Client Restrictions tab.
- Change the Action to Show.
- Enable the Use IP Restriction toggle.
- In the IP Ranges field, enter the IP address for the organization's public-facing IP. For multiple addresses, separate each with a comma. For a range, use a hyphen. For example:
66.123.1.0-66.123.1.254
. - Enable the Use Source Restriction toggle. Select the browser/device-types allowed to use this authentication method.
- Click Save.
Show a different IdP for users on other devices
Next, we'll configure HelloID to show our on-premises Active Directory (Agent) IdP on the login screen for users who are on the organization's network but not using an approved device type.
- Go to Security > Authentication > Identity Providers.
- Select an identity provider to configure. For this example, we'll select our AD IdP.
- Go to the Client Restrictions tab.
- Change the Action to Show.
- Enable the Use IP Restriction toggle.
- We'll enter the same IP range we entered previously.
- Enable the Use Source Restriction toggle. This time, we'll select the device types we didn't select for ADFS.
- Click Save.
Hide an IdP
For the final example, we'll demonstrate a Hide policy. We'll hide our Azure IdP for all logins inside the network, on any device type.
- Go to Security > Authentication > Identity Providers.
- Select an identity provider to configure. For this example, we'll select our Azure IdP.
- Go to the Client Restrictions tab.
- Change the Action to Hide.
- Enable the Use IP Restriction toggle.
- We'll enter the same IP range we entered previously.
- Click Save.