Unable to exclude VPN site for SAML

[rezca]

My employer has started using some 3rd party sites to replace parts of the intranet, using SAML2 to authenticate against the domain. Since VPN addresses (10.../8) fall under LOCAL, they are restricted by the one default rule that comes with ABE. I don't see any way to make an exception for a specific site without enumerating LOCAL, which seems tedious and still has problems.

An example site is www.workday.com, and I'll use domain.net as my work domain. The SAML2 server is auth.domain.net. The rules I needed to allow workday to POST to the SAML server are:

Code: Select all

Site LOCAL
Accept from LOCAL .myworkday.com .domain.net
Deny

Site .myworkday.com
Accept POST from SELF .auth.domain.net
Accept GET
Deny

This opens up LOCAL to my work domain and the external site very broadly. Is there any way of making a specific exclusion for auth.domain.net without opening up all of LOCAL?

I'm also curious why "Accept from .domain.net" (all of domain.net is in 10.../8) was needed in the Site LOCAL rule, but it was.

[Giorgio Maone]

Are those rules put in the SYSTEM ruleset?
If not, they should be moved there.
Also, the ruleset is processed from top to bottom and any "Accept" rule stops the ruleset processing, hence you must put your exceptions in the beginning of the ruleset (before the default LOCAL rule).
Hope it helps.

[rezca]

It all makes sense with your explanation of ruleset processing order, and I see that paragraph in the PDF now. Should that be included on https://noscript.net/abe too?
I had the first rule in SYSTEM and the second in USER. What is the use for USER? Does it just get processed after SYSTEM?

Working ruleset below. Thanks for your help!

Code: Select all

Site .auth.domain.net
Accept from .myworkday.com SELF+
Deny

Site .myworkday.com
Accept from .auth.domain.net SELF+
Deny

Site LOCAL
Accept from LOCAL
Deny

[barbaz]

What is the use for USER? Does it just get processed after SYSTEM?

The point of the USER ruleset is so that you can play around with defining boundaries for a site(s) without worrying about messing up the default LOCAL protection.

[Thrawn]

What is the use for USER? Does it just get processed after SYSTEM?

The point of the USER ruleset is so that you can play around with defining boundaries for a site(s) without worrying about messing up the default LOCAL protection.

And the USER ruleset will be run even after a rule in SYSTEM matches.

[akeeton]

I got here from a search for "myworkday.com noscript" and was able to fix the problem using the information here. However, I had to tweak the ABE rules a bit, so I figured I would post what worked for me in case it can help anyone else with myworkday.com and ABE. At the top of my rules I have the following (example.com is standing in for my employer's domain):

Code: Select all

Site saml.example.com
Accept ALL from .example.com .myworkday.com
Deny

Site .myworkday.com
Accept ALL from .example.com
Deny

[akeeton]

I got here from a search for "myworkday.com noscript" and was able to fix the problem using the information here. However, I had to tweak the ABE rules a bit, so I figured I would post what worked for me in case it can help anyone else with myworkday.com and ABE. At the top of my rules I have the following (example.com is standing in for my employer's domain):

Code: Select all

Site saml.example.com
Accept ALL from .example.com .myworkday.com
Deny

Site .myworkday.com
Accept ALL from .example.com
Deny

I jumped the gun and posted this before I actually tried signing in at the SAML page. Some additional rules were required to get through to myworkday.com:

Code: Select all

Site .example.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny

Site .myworkday.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny

Site .workday.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny

[barbaz]

Nice, thanks for reporting your findings.

Code: Select all

Site .example.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny

Site .myworkday.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny

Site .workday.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny

Can be shortened to

Code: Select all

Site .example.com .myworkday.com .workday.com
Accept from .example.com .workday.com .myworkday.com
Deny