My employer has started using some 3rd party sites to replace parts of the intranet, using SAML2 to authenticate against the domain. Since VPN addresses (10.../8) fall under LOCAL, they are restricted by the one default rule that comes with ABE. I don't see any way to make an exception for a specific site without enumerating LOCAL, which seems tedious and still has problems.
An example site is
www.workday.com, and I'll use domain.net as my work domain. The SAML2 server is auth.domain.net. The rules I needed to allow workday to POST to the SAML server are:
Code: Select all
Site LOCAL
Accept from LOCAL .myworkday.com .domain.net
Deny
Site .myworkday.com
Accept POST from SELF .auth.domain.net
Accept GET
Deny
This opens up LOCAL to my work domain and the external site very broadly. Is there any way of making a specific exclusion for auth.domain.net without opening up all of LOCAL?
I'm also curious why "Accept from .domain.net" (all of domain.net is in 10.../8) was needed in the Site LOCAL rule, but it was.