Using different SSO providers depending on Location
For organisations with offices in multiple regions, xAssets can route users to different identity providers (or the same provider with different credentials) based on their IP address. This is useful when different regions use different Azure tenants, different identity providers, or when regulatory requirements mandate that authentication traffic stays within a specific geography.
Prerequisites
- SSO enabled and working with at least one provider (see SSO Introduction and Setup)
- Knowledge of the IP address ranges for each office or region
- Contact with xAssets consulting (authentication scripts cannot be edited by customers)
How IP-Based Routing Works
The authentication script includes IP range rules that map source IP addresses to specific credential packs. When a user initiates a login:
- The system records the user's IP address
- The IP address is matched against the configured ranges
- The user is redirected to the identity provider specified by the matching credential pack
- If no range matches, the default credential pack is used
Example Configuration
The following script routes users to region-specific Azure credential packs based on IP address:
idp = defaultidentityprovider
range = IPRANGE "10.5.0.0-10.10.255.255", idp, "Germany"
if range = "" then
range = IPRANGE "10.11.0.0-10.20.255.255", idp, "UK"
end if
if range = "" then
range = IPRANGE "*", idp
end if
rangelocation = IPRANGELOCATION
In this example, with Azure as the provider:
| IP Range | Credential Pack Used |
|---|---|
| 10.5.0.0 -- 10.10.255.255 | AzureGermany |
| 10.11.0.0 -- 10.20.255.255 | AzureUK |
| All other addresses | Azure (default) |
Each named credential pack (AzureGermany, AzureUK, Azure) is configured separately with its own tenant ID, application ID, and client secret pointing to the appropriate Azure tenant for that region.
Setting Up Multi-Region SSO
- Create credential packs for each region, named according to the convention used in the authentication script (e.g.,
AzureGermany,AzureUK) - Contact xAssets consulting to update the authentication script with the correct IP ranges and credential pack names
- Test from each region or by simulating the IP addresses to verify correct routing
- The script must be security tested before going live
Warning: Only xAssets consulting can edit the authentication script. The script handles security-critical authentication flows and must be reviewed for security vulnerabilities before deployment.
Related Articles
- SSO Introduction and Setup — enabling SSO
- SSO with Azure — configuring Azure AD as the identity provider
- Preparation — the authentication script and settings