See quickstart Menu

How to geo block users at login time

This article will explain how you can use Vigilance AI to block users from logging in from specific countries. This concept is often referred to as geo-blocking and is simple to set up using a combination of features from the User Policy and a the Vigilance API.

The TLDR is that we will be using Smart Access on a User Policy combined with a Vigilance blacklist rule to deny access.

Requirements

In order to set this up you must have Smart Factor Authentication (formerly known as Adaptive Authentication) enabled on your OneLogin account.

You also need to have enabled Smart MFA Supression on at least one of your user policies. Make sure you do this before attempting to set up the rules we talk about in step 1.

WS-Trust auth workflows will not work with Smart MFA nor Smart Access, as Vigilance AI only works with browser based logins. It cannot apply to WS-Trust which is a legacy Microsoft protocol; so to have Risk Scores/Smart Access working, the client must disable legacy protocols in Microsoft 365 and also disable WS-Trust within their OL O365v2 app.

1: Create a Vigilance Rule

Vigilance AI lets you create rules that will influence how it scores the risk of a login event.

In this case we will be creating a blacklist rule which will deny access to any IP adddress that is located in New Zealand.

Countries to blocklist are represented using a ISO 3166 Alpha-2 country code.

You can use the Vigilance Postman collection or simply curl like this. (Note: Replace <subdomain> with your OneLogin subdomain.)

curl -X POST \
  https://<subdomain>.onelogin.com/api/2/risk/rules \
  -H 'Authorization: Bearer xxx-a-valid-bearer-token-xxx' \
  -H 'Content-Type: application/json' \
  -d '{
  "name": "Blocklist New Zealand",
  "description": "Allow access from New Zealand based IP addresses",
  "type": "blacklist",
  "target": "location.address.country_iso_code",
  "source": null,
  "filters": ["NZ"]
}'
      

The effect of this rule is that if a user attempts to login from a New Zealand based IP address they will immediately be given the maximum HIGH risk score of 100.

2: Enable Smart Access

Once you have the Vigilance rule created you can then enable Smart Access on either a User Policy or an App Policy depending on where you want to block access.

Assuming you want to block users at login time you will want to enable Smart Access on the User Policy and set the Risk Level to “HIGH”.

Enable Smart Access

3: Assign the Policy

Finally, assign this User Policy to any user that you want to geo block.

The next time the user attempts to login from the blocklisted countries they will be immediately blocked.

Access Denied


Have a Question?

Found a problem or a bug? Submit a support ticket.

Looking for walkthroughs or how-to guides on OneLogin's user and admin features? Check out the documentation in our Knowledge Base.

Have a product idea or request? Share it with us in our Ideas Portal.