3433542 - How to find IP addresses used by cf login --origin command and add it to Risk-Based Authentication in IAS ?

Symptom

The command "cf login --origin <IdP name>" is used to log in to Cloud Foundry. On the IAS side, within the relevant application, Risk-Based Authentication (RBA) is configured to restrict access, with the default action set to "Deny." Consequently, when the command "cf login --origin <IdP name>" is executed, access is denied, resulting in a 401 error. The logs indicate this denial with the message "Denied by RBA rules," as observed below:

"<time stamp>","<incoming IP address>",anonymous,INFO,"ID","state=""failed"", action=""login"", objectType=""user"", objectId=""P00xxxx"", cause=""rbaRulesCheckFailure"", message=""Denied by RBA rules"", category=""audit.authentication"", credentialType=""{UID_PW=authenticated}"", originalCallerIp=""xxx.xxx.xxx.xxx"", workflow=""openIdConnect"", serviceProvider=""btp-platform"" "

To allow the access, it is necessary to add above incoming IP address to the rule list of Risk-Based Authentication. The incoming IP address is changing, so a list of the possible IP addresses is necessary.

Environment

SAP Cloud Identity Services
BTP

Product

BTP all versions ; SAP Cloud Identity Services all versions

Keywords

cf login, cf login --origin, RBA Rule Configuration, IP Address Whitelisting, Credential Type UID_PW, RBA Rule Configuration , KBA , BC-IAM-IDS , Identity Authentication Service , BC-CP-CF-SEC-IAM , UAA, Authentication, Authorization, Trust Mgmnt , How To

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.