Cybersecurity
DevOps Cloud
IT Operations Cloud
Summary
IDP IPAddressRiskRule fails on processing X-Forwarded-For header after upgrading NAM from 451 to 503
Products
Access Manager (NAM)
Environment
Access Manager Version 5.0.3
Multiple IDP Clusters have been configured
A Risk-based Policy has been configured run a possible Step Up based on the Client IP addresses to check for "internal IP Addresses"
As clients are passing NAT devices (e.G. proxy or load balancer) the IP Address used to run a request against the IDP server is not the real IP address assigned to the client. To make sure an existing X-Forwarded-for header will be parsed for both cluster the NAT Settings option has been enabled as below.
Situation
After upgrading Access Manager from Version 4.5.1 to 5.0.3 the Risk Policy does not longer evaluate the real IP address passed on as X-Forwarded-For HTTP header. Due to the logic within the policy the required Step Up Authentication method will never get executed.
Read Full Knowledge Base Article for Cause and Resolution Steps.
URL Name
KM000015562