Page 1 of 1
Unable to exclude VPN site for SAML
Posted: Fri Nov 21, 2014 3:40 pm
by rezca
My employer has started using some 3rd party sites to replace parts of the intranet, using SAML2 to authenticate against the domain. Since VPN addresses (10.../8) fall under LOCAL, they are restricted by the one default rule that comes with ABE. I don't see any way to make an exception for a specific site without enumerating LOCAL, which seems tedious and still has problems.
An example site is
www.workday.com, and I'll use domain.net as my work domain. The SAML2 server is auth.domain.net. The rules I needed to allow workday to POST to the SAML server are:
Code: Select all
Site LOCAL
Accept from LOCAL .myworkday.com .domain.net
Deny
Site .myworkday.com
Accept POST from SELF .auth.domain.net
Accept GET
Deny
This opens up LOCAL to my work domain and the external site very broadly. Is there any way of making a specific exclusion for auth.domain.net without opening up all of LOCAL?
I'm also curious why "Accept from .domain.net" (all of domain.net is in 10.../8) was needed in the Site LOCAL rule, but it was.
Re: Unable to exclude VPN site for SAML
Posted: Fri Nov 21, 2014 6:16 pm
by Giorgio Maone
Are those rules put in the SYSTEM ruleset?
If not, they should be moved there.
Also, the ruleset is processed from top to bottom and any "Accept" rule stops the ruleset processing, hence you must put your exceptions in the beginning of the ruleset (before the default LOCAL rule).
Hope it helps.
Re: Unable to exclude VPN site for SAML
Posted: Fri Nov 21, 2014 6:42 pm
by rezca
It all makes sense with your explanation of ruleset processing order, and I see that paragraph in the PDF now. Should that be included on
https://noscript.net/abe too?
I had the first rule in SYSTEM and the second in USER. What is the use for USER? Does it just get processed after SYSTEM?
Working ruleset below. Thanks for your help!
Code: Select all
Site .auth.domain.net
Accept from .myworkday.com SELF+
Deny
Site .myworkday.com
Accept from .auth.domain.net SELF+
Deny
Site LOCAL
Accept from LOCAL
Deny
Re: Unable to exclude VPN site for SAML
Posted: Fri Nov 21, 2014 7:38 pm
by barbaz
rezca wrote:What is the use for USER? Does it just get processed after SYSTEM?
The point of the USER ruleset is so that you can play around with defining boundaries for a site(s) without worrying about messing up the default LOCAL protection.
Re: Unable to exclude VPN site for SAML
Posted: Sat Nov 22, 2014 4:09 am
by Thrawn
barbaz wrote:rezca wrote:What is the use for USER? Does it just get processed after SYSTEM?
The point of the USER ruleset is so that you can play around with defining boundaries for a site(s) without worrying about messing up the default LOCAL protection.
And the USER ruleset will be run even after a rule in SYSTEM matches.
Re: Unable to exclude VPN site for SAML
Posted: Mon Jan 26, 2015 3:50 pm
by akeeton
I got here from a search for "myworkday.com noscript" and was able to fix the problem using the information here. However, I had to tweak the ABE rules a bit, so I figured I would post what worked for me in case it can help anyone else with myworkday.com and ABE. At the top of my rules I have the following (example.com is standing in for my employer's domain):
Code: Select all
Site saml.example.com
Accept ALL from .example.com .myworkday.com
Deny
Site .myworkday.com
Accept ALL from .example.com
Deny
Re: Unable to exclude VPN site for SAML
Posted: Mon Jan 26, 2015 4:01 pm
by akeeton
akeeton wrote:I got here from a search for "myworkday.com noscript" and was able to fix the problem using the information here. However, I had to tweak the ABE rules a bit, so I figured I would post what worked for me in case it can help anyone else with myworkday.com and ABE. At the top of my rules I have the following (example.com is standing in for my employer's domain):
Code: Select all
Site saml.example.com
Accept ALL from .example.com .myworkday.com
Deny
Site .myworkday.com
Accept ALL from .example.com
Deny
I jumped the gun and posted this before I actually tried signing in at the SAML page. Some additional rules were required to get through to myworkday.com:
Code: Select all
Site .example.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny
Site .myworkday.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny
Site .workday.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny
Re: Unable to exclude VPN site for SAML
Posted: Mon Jan 26, 2015 5:49 pm
by barbaz
Nice, thanks for reporting your findings.
akeeton wrote:Code: Select all
Site .example.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny
Site .myworkday.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny
Site .workday.com
Accept ALL from .example.com .workday.com .myworkday.com SELF+
Deny
Can be shortened to
Code: Select all
Site .example.com .myworkday.com .workday.com
Accept from .example.com .workday.com .myworkday.com
Deny