Hi,
can we have the range of IP addresses that traffic is coming? I am getting 403 error while calling APIs from SaaS Connector so we need to add those IPs to our whitelist.
At this time, SaaS connectivity isn’t the right choice for connecting to internally hosted applications that are behind a firewall. Our infrastructure uses dynamic IP addresses, so we can’t guarantee a range that will work for any meaningful amount of time. The most reliable approach will be to use a VA based web service connector to connect to internal applications.
Our product team is aware of the desire to use SaaS connectivity with internal web services, so I expect that this will be possible in the future, but I don’t have a timeframe for when to expect this.
Hi Colin,
I think you may have misunderstood the requirement - we’re not connecting to an internally hosted application, which we are continuing to use the VA connectivity for - we are connecting to a SaaS service which has an IP whitelist for authenticating to our tenancy.
We would need to know the source IP address range that the cloud connector connects from in order to include this in the IP address whitelist. I understand that dynamic IP addresses would be used, but this would be within a specific IP address range which we should be able to reasonably whitelist in our configuration.
Thanks for clarifying Ramiro. Unfortunately, the issue is still the same. Our SaaS connectivity doesn’t offer a predictable IP address range, and it can change at any time as new versions of it are deployed or the network infrastructure changes. The most reliable solution will be to use a webservice 1.0 connector. That way you control the IP address range on your VA that you can use in the whitelisting on your target service.
One thing that will help is if you submit an idea for static IPs or VA based SaaS connectivity. Our PMs are more likely to work on this feature if they hear it from customers like yourself.
Thanks for confirming. I have to say that’s disappointing. I would expect that our IdentityNow pod would have a public IP address range allocated to it in general, which we could limit the requests to.
Allowing us to use the new capability from our own VAs is something I raised previously but at this stage it won’t work for us unless it’s available tomorrow
So we’re back to the v1 connectors at this stage
I appreciate the feedback, Ramiro, and I am communicating this back to the product team. The more we hear from customers like yourself, the more priority this will be assigned.
Hi Colin,
Is this also true for the SaaS workflows in regards to HTTP Request action? We have a requirement to invoke an on-prem API using a workflow step however are struggling with getting this to work through the firewall. Or even some cloud SaaS APIs it is best practice to restrict who can initiate a call via a domain or IP list. Is this not possible using workflow requests?
Hi all, I’ve created an Idea to have fixed tenant IP addresses. Please vote here if you think your organisation may find it useful.
There is now a documented process for finding IP addresses used by IdentityNow for building an allow list. See the documentation here: IP Address Allow List | SailPoint Developer Community