IP Address Allow List
Some SaaS services like Workflows and SaaS Connectivity might need to reach out to internal resources to perform operations inside a customer environment. Instead of opening up those internal resources to the entire internet, you can create an IP Address Allow List so that you can be sure that all SaaS resources can access them while restricting the IP Address range to only allow what is required
Finding your Tenant's Region
In order to create an IP Address Allow list, you need to know what region your tenant is hosted in. If you don't know this, you can find it by using one of two processes:
Finding your tenant using the admin console
Go to the admin console in IdentityNow and find the 'Org Details' section. You will find your tenant's host region there:
Finding your tenant programatically using the IP address returned by IdentityNow
If you can't access the admin console or you want to dynamically find the region through code, follow these steps to find it:
- Find the IP address of your tenant by sending an API request in Postman or through any other API framework:
- After a succesful call to IdentityNow, hover over the globe icon in the response window in postman to get the IP address:
Download the IP Address ranges from AWS
Compare the IP address found when calling IdentityNow to the list provided by AWS to determine where your tenant is hosted. You can run a simple Python script to easily find what region the IP address belongs to:
from ipaddress import ip_network, ip_address
# You can download this file from https://ip-ranges.amazonaws.com/ip-ranges.json
ip_json = json.load(open('ip-ranges.json'))
prefixes = ip_json['prefixes']
my_ip = ip_address(ip)
region = 'Unknown'
for prefix in prefixes:
if my_ip in ip_network(prefix['ip_prefix']):
region = prefix['region']
# output should be something like us-east-1
# simply add your IP address here:
Using your region to create the allow-list URL
The URL used to find your range of allow list URLs can be constructed using the region found above and the file format desired.
Where REGION is the region of your IdentityNow Tenant and FILENAME is one of the three following:
For example, if a tenant is hosted in the us-east-1 region, to fetch a yaml representation of the IP address range, use the following URL:
which will result in a file similar to the following:
These IP Address ranges can now be used as an allow list to permit any call from your IdentityNow tenant to access your internal network.
These IP Address ranges can change at any time. The implementation will need to account for this by regularily updating the allow list.