Hi everyone! I'm the system administrator for a small company. We don't primarily develop software, but we have created an in-house line-of-business application hosted on-premises, which is accessible via WAN through a firewall managed by HAProxy and Suricata. We want to integrate our login process with our Microsoft 365 setup that syncs with our on-premises Active Directory.
The challenge is that our application server is configured to allow connections on port 443 only from IP addresses within France. This restriction means that authentication callbacks from EntraID can't reach our application during the login phase.
I'm wondering if there's a workaround for this scenario. For instance, can I set up some kind of proxy solution, as I don't think I can configure EntraID to use a single static IP address that complies with our firewall rules? Oh, and just for your information, we are using Oracle APEX as the framework for this application, which is entirely web-based.
3 Answers
Just a heads-up on the OAuth flow: the user’s browser is responsible for the connections. It goes something like this:
1. User interacts with your web app.
2. The user is redirected to EntraID for authentication.
3. After logging in, the user is sent back to your web app via a redirect.
4. This flow means you need to adjust any geographical restrictions at the proxy level, or consider using something like the Entra App Proxy to manage access. In my experience, Cloudflare or Azure Front Door could really streamline this process and handle connections more dynamically.
You're right! EntraID won't allow you to limit callbacks to a single static IP or specific IP ranges from France. The standard solution is exactly what you're considering: establish a reverse proxy in a location your firewall trusts. EntraID can call this proxy, which can then forward the callback requests to your internal application. This setup can help you bypass the IP restriction while keeping your application secure.
Keep in mind that EntraID doesn’t actually need to communicate directly with your application. The way this works is that:
1. A user tries to access your app.
2. If they don't have a valid token, your app redirects them to EntraID for authentication.
3. After the user successfully logs in, EntraID sends them back to a redirect URI you specify, which must be accessible to the user.
4. The user then makes a new connection to your app.
So, it all depends on the user getting redirected properly, and their browser makes all the connections, not EntraID itself.
Related Questions
Can't Load PhpMyadmin On After Server Update
Redirect www to non-www in Apache Conf
How To Check If Your SSL Cert Is SHA 1
Windows TrackPad Gestures