Hi! I would like to restrict ISC API clients from certain IP address, or by country, as it can be done with identity profiles. If I use PAT generated for some identity, the restrictions configured on identity profile also applies to API access?
For example, I add Argentina to the white list countries, then check the identity now identity profiles untrusted geographies.
ISC admins from Argentina only will be able to log in to ISC console. If one of these identityes has a PAT which some API client uses, it also is restricted to be used only from Argentina?
Hi Krishna! I finally could test it with my demo tenant (I think it will work the same with clients tenants). Confirmed, when I restrict by my country (argentina), I can not access to UI, but API still works fine, so restrictinos does not apply.
If you configure restriction based on ip adresses or country. This will take effect only if you applied it in chosen Identity profile.
This restriction will only apply to identities of identity profiles that you enables the restrictions.
And this restriction is applied in all authentication (from ui or api) (message: bad credential / unthorized location).
If your api work after applied restriction that mean your token is generated before applying but if you try to generate it doesn’t work.
But all identity coming from identity profiles that restrictions are not enabled, restriction is not applied and they can authentificate from anywhere.
Also if you configure restriction you must allow also your tenant region country and / or Sailpoint public ip addresses for ISC SaaS connector , Workflow and other Sailpoint SaaS service.
Hi @baoussounda you are totally right. I use Postman collection to test, and as the time expiration was not reached yet, it was using a token at the moment on which user was not in black list.
Now I forced to bypass expiration times, and when script sends the authentication call, it receives: