Azure IP Whitelisting for SSO Attempts.

We use an IdP (Onelogin) for SSO with Azure. Ever since we started with Azure there has been unauthorized login attempts cause user lockouts on Onelogin side.  I need to whitelist the IPs on Azure side that are able to send SSO login attempts.
We want to request to go to SSO but only if it meets the IP whitelisting first.
Azure/Onelogin uses WS-Trust for Authentication.
I checked with Onelogin, they don't offer anything that would prevent an authentication attempt based on IP for a WS-Trust auth from Azure.
GGHCAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
You can use azure conditional access policy where you can block access attempts from all IPs except whitelisted IPs

IP whitelisting can be found under Azure MFA advanced properties \ settings

they call it as trusted IPs
https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-mfasettings

conditional access policies do need azure premium licenses
https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview
GGHCAuthor Commented:
Thanks.
I want to add a better description of what is being used in Azure.  We are using Office 365 which includes the Azure AD (Free version).

My scenario is a little bit different because I do use a 3rd party IdP for SSO. I am looking for something on the Azure/Office side to prevent an SSO attempt unless the client IP is with our IP Whitelisting on Azure/Office  (which is what I'm trying to find out if possible)
MaheshArchitectCommented:
Azure has full suite of features to restrict access but you need to use azure native technology only for that
As soon as 3rd party IDP sso tools came in between you need to rely on their end to control access on those sso tools because azure cannot control those

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GGHCAuthor Commented:
I called The Office365 support and that is exactly what they said. I may consider using local adfs just for Office Apps.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
sso

From novice to tech pro — start learning today.