Using SAML access/authentication for external users

coolwebs · 2015-06-10 02:01:57 UTC

Hi All,

I am just learning about the SAML standard and how it may be used within our organisation. I am hoping it may solve one particular problem we have now. We have an Intranet site that is only accessible when logged in at work using LDAP. Any users outside the corporate network are not able to visit the site or access it for admin/edits.

This intranet shares the space with other public facing websites. I am not really sure (right now) what technology is used to hide the Intranet from public access (I would guess its an IP range or something to do with LDAP).

Could we use SAML authentication/access to external users so they can access Intranet, whilst retaining the same type of access for users normally logging in using coporate network? So external users get redirected to SAML page when attempting to access Intranet and corporate users are just taken straight to the website as they are detected as internal access.

Hope what I am saying is making sense. I think SAML is the answer to this but I just need to clarify.

Bart · 2015-06-10 10:29:51 UTC

You are probably best off investigating with the person/people who set up the restriction in the first place, they would be the ones able to tell you if SAML will help.

But SAML login basically just takes the login process completely outside of Matrix, so any restrictions such as IP range, on the login process, would need to be handled there, if required at all.

But really, if you just want users to access Matrix via LDAP outside of your office IP addresses, you probably just need to remove the IP restriction completely. Why is it there in the first place if you need to allow users to access it outside of that range?

Sounds like there is an IP restriction on the DNS level rather than on the matrix level?

coolwebs · 2015-06-10 23:10:32 UTC

Ok to explain it better. Our director has asked to make the Intranet available to staff that are off site - not allow the Intranet open for public access (for obvious reasons).

So staff member visits the company Intranet website 'offsite' and is asked for authentication by default because they are offsite (nothing to do with logging into the edit or admin Squiz Matrix side of the website at all).

Staff members who are onsite will just go to Intranet site as normal with no prompt for login.

I think you are right, this is bigger than SAML and sounds like it should be handled by IT at DNS level.