System Admin and Configuration

Get Involved. Join the Conversation.


    Daniel Chalker
    Restricting logins to a specific country
    Topic posted September 30, 2019 by Daniel ChalkerBlue Ribbon: 750+ Points 
    37 Views, 6 Comments
    Restricting logins to a specific country
    Restricting logins to a specific country

    For a number of years we've used the SEC_VALID_ADMIN_HOSTS setting to restrict logins to on-site staff.

    With BUI starting to become used more and more in our organisation, we're looking to loosen this restriction a little bit so that anyone with an Australian IP can access the login page. 

    Does anyone know if there's a way to restrict logins to a particular country/region using this setting or a combination of other settings? 

    Thanks in advance for any help!





    • Sebastiaan Draaisma

      You could write a PHP HOOK which would load before the page is loaded checking the ip address and redirect the user to a different page depending on the IP address but how would you deal with the increasingly popularity of VPN users who may be located in Australia but get a random ip address assigned to them. They would be unable to use your platform.

      I myself work with corporate VPN and when using google I sometimes get recognized as UK, India, Hungary etc.
      Keep that in mind when using an ip based system.

      If access to your service is being done through an app you could use the mobile device GPS to control which pages they should see. This would still allow your users to use VPN.

      Another alternative, this would only work if Australia has a single electronic identifier for it's citizens is to enforce users to use the login method. That way you know that only Australians are able to use your service, also if they happen to be on a short holiday. In Sweden we have something called mobile bank ID which you use for everything from signing into the tax office to approve an online purchase and other services. Maybe Australia has something similar.

    • Daniel Chalker

      Thanks Sebastiaan,

      We're happy for customers to login from wherever they are in the world, it's our service agents logging in to the console/BUI who are all based in Australia we're trying to restrict the logins for (all in the name of security!). 



    • Sebastiaan Draaisma

      I don't see how that would change the security of your service. I mean it's the connection that has to be secure. Having someone sign in from an unsecure/open network within AUS compared to someone signing in from outside AUS on a secure network with VPN is a big difference.

      It's not going to be more secure just by looking at ip addresses, you will need some form of VPN to increase your security (if increasing security is your goal). If it's to ceck if your employees are within AUS then they would still be able to work from Australia's most popular destination Bali by using a VPN making your system believe they are in Australia.

    • Daniel Chalker

      We're actually trying to decrease security, but not totally open it up for everyone! At the moment staff can only login when they're on an approved network (either physically on-site, or through an organisational VPN). Working with our internal security team, we're happy to remove this restriction to facilitate people working from home using the BUI without going through the VPN, but they've recommended we try and restrict these logins to staff located in Australia (if that means someone wants to sit in Bali and use a VPN to pretend they're in Australia to login, so be it!).

      SEC_VALID_ADMIN_HOSTS seems to be the only way in which we can restrict agent logins, and it's obviously not feasible to include 'Australian' IP addresses in this setting. I wasn't sure if there were perhaps some other settings that I've overlooked which could be used to perhaps restrict the staff 'login region', or something along those lines. 

    • Sebastiaan Draaisma

      Yea the OOB configuration is the SEC_VALID_ADMIN_HOSTS but you are able to design your own system with an identity provider (SSO) this allows you to develop your own login system. Once active you change the profile permissions to enforce SSO and the agent is unable to sign into the system without your SSO


    • Sebastiaan Draaisma

      Another solution is to use a terminal server solution. I used to work at a place that worked with that. OSVC was installed on the server. The SEC_VALID_ADMIN_HOSTS has the ip address from this server enforcing everyone to sign into this server. You could create your own login method for this server. We were still able to work remote through VPN but were required to use the terminal server.

      My personal preference would be through an identity provider but it's an option.