SecureAuth cloud services
The SecureAuth® Identity Platform, end user browsers, and registered mobile devices connect with the SecureAuth cloud services to provide multi-factor authentication.
Allowed URLs and IP addresses for SecureAuth cloud services
This topic contains the allowed URLs and IP addresses you'll need when configuring the Identity Platform, servers, and devices.
Refer to the section appropriate for your product release for the list of allowed URLs and IP addresses.
You can also download the complete list of URLs and IP addresses: sa-ip-allowlist.json
The domain name system (DNS) resolution for the Geo load balanced URLs returns one of the listed IP addresses. This depends on the geographic location of the DNS resolver (client). To support SecureAuth cloud services site failover, you'll need to allow all IP addresses for the URL in the firewall rules.
Geo load balanced URL | IP address | Description of SecureAuth cloud services configuration |
|---|---|---|
us-certs.secureauth.com nge-cloud.secureauth.com | 75.2.72.232 99.83.164.204 |
|
us-services.secureauth.com | 18.208.0.0/13 52.95.245.0/24 54.196.0.0/15 216.182.224.0/21 216.182.232.0/22 107.20.0.0/14 99.77.128.0/24 67.202.0.0/18 184.73.0.0/16 3.80.0.0/12 54.80.0.0/13 3.224.0.0/12 54.221.0.0/16 54.156.0.0/14 54.236.0.0/15 54.226.0.0/15 162.250.237.0/24 52.90.0.0/15 100.24.0.0/13 54.210.0.0/15 54.198.0.0/16 52.20.0.0/14 52.94.201.0/26 52.200.0.0/13 54.160.0.0/13 162.250.238.0/23 35.153.0.0/16 52.70.0.0/15 52.94.248.0/28 99.77.254.0/24 52.54.0.0/15 54.152.0.0/16 54.92.128.0/17 52.0.0.0/15 184.72.128.0/17 23.20.0.0/14 18.204.0.0/14 54.88.0.0/14 162.250.236.0/24 99.77.129.0/24 54.204.0.0/15 52.86.0.0/15 52.44.0.0/15 18.232.0.0/14 54.174.0.0/15 50.16.0.0/15 35.168.0.0/13 99.77.191.0/24 3.208.0.0/12 174.129.0.0/16 72.44.32.0/19 34.224.0.0/12 54.224.0.0/15 75.101.128.0/17 34.192.0.0/12 54.208.0.0/15 54.242.0.0/15 216.182.238.0/23 54.234.0.0/15 54.144.0.0/14 52.2.0.0/15 184.72.64.0/18 204.236.192.0/18 15.193.6.0/24 52.4.0.0/14 208.86.88.0/23 44.192.0.0/11 52.72.0.0/15 52.95.255.80/28 50.19.0.0/16 54.172.0.0/15 52.95.255.112/28 99.77.253.0/24 52.94.249.64/28 52.94.116.0/22 52.40.0.0/14 54.214.0.0/16 15.193.7.0/24 54.244.0.0/16 52.94.248.96/28 52.32.0.0/14 52.10.0.0/15 54.200.0.0/15 35.160.0.0/13 35.155.0.0/16 18.236.0.0/15 70.224.192.0/18 52.46.180.0/22 54.68.0.0/14 52.95.230.0/24 54.184.0.0/13 52.12.0.0/15 52.88.0.0/15 100.20.0.0/14 18.246.0.0/16 34.208.0.0/12 54.212.0.0/15 54.148.0.0/15 99.77.130.0/24 52.36.0.0/14 54.202.0.0/15 52.75.0.0/16 52.24.0.0/14 54.218.0.0/16 52.95.247.0/24 54.245.0.0/16 44.224.0.0/11 50.112.0.0/16 13.248.146.241 76.223.20.206 Alternatively, you can view the IP addresses listed in the Amazon EC2 service table. Take note that it lists all AWS IP addresses, and you only want to allow the IPs within "EC2", "us-east-1", and "us-west-2" categories: https://ip-ranges.amazonaws.com/ip-ranges.json | Used for the SecureAuth cloud services URL configurations for the Identity Platform release 19.07 or later in the System Info tab.
|
us-audit.secureauth.com | 18.208.0.0/13 52.95.245.0/24 54.196.0.0/15 216.182.224.0/21 216.182.232.0/22 107.20.0.0/14 99.77.128.0/24 67.202.0.0/18 184.73.0.0/16 3.80.0.0/12 54.80.0.0/13 3.224.0.0/12 54.221.0.0/16 54.156.0.0/14 54.236.0.0/15 54.226.0.0/15 162.250.237.0/24 52.90.0.0/15 100.24.0.0/13 54.210.0.0/15 54.198.0.0/16 52.20.0.0/14 52.94.201.0/26 52.200.0.0/13 54.160.0.0/13 162.250.238.0/23 35.153.0.0/16 52.70.0.0/15 52.94.248.0/28 99.77.254.0/24 52.54.0.0/15 54.152.0.0/16 54.92.128.0/17 52.0.0.0/15 184.72.128.0/17 23.20.0.0/14 18.204.0.0/14 54.88.0.0/14 162.250.236.0/24 99.77.129.0/24 54.204.0.0/15 52.86.0.0/15 52.44.0.0/15 18.232.0.0/14 54.174.0.0/15 50.16.0.0/15 35.168.0.0/13 99.77.191.0/24 3.208.0.0/12 174.129.0.0/16 72.44.32.0/19 34.224.0.0/12 54.224.0.0/15 75.101.128.0/17 34.192.0.0/12 54.208.0.0/15 54.242.0.0/15 216.182.238.0/23 54.234.0.0/15 54.144.0.0/14 52.2.0.0/15 184.72.64.0/18 204.236.192.0/18 15.193.6.0/24 52.4.0.0/14 208.86.88.0/23 44.192.0.0/11 52.72.0.0/15 52.95.255.80/28 50.19.0.0/16 54.172.0.0/15 52.95.255.112/28 99.77.253.0/24 52.94.249.64/28 52.94.116.0/22 52.40.0.0/14 54.214.0.0/16 15.193.7.0/24 54.244.0.0/16 52.94.248.96/28 52.32.0.0/14 52.10.0.0/15 54.200.0.0/15 35.160.0.0/13 35.155.0.0/16 18.236.0.0/15 70.224.192.0/18 52.46.180.0/22 54.68.0.0/14 52.95.230.0/24 54.184.0.0/13 52.12.0.0/15 52.88.0.0/15 100.20.0.0/14 18.246.0.0/16 34.208.0.0/12 54.212.0.0/15 54.148.0.0/15 99.77.130.0/24 52.36.0.0/14 54.202.0.0/15 52.75.0.0/16 52.24.0.0/14 54.218.0.0/16 52.95.247.0/24 54.245.0.0/16 44.224.0.0/11 50.112.0.0/16 75.2.60.253 99.83.226.254 | Used by SecureAuth servers to receive customer logs for dashboard and user risk services. |
us-trx.secureauth.com | 75.2.50.208 99.83.150.226 |
|
us-polaris.secureauth.com | 15.197.205.255 3.33.245.231 | Used for New Experience Web Admin user interface assets. |
sparkles-content.prod.secureauth.com | To view the page of listed IP addresses, see http://d7uri8nf7uskq.cloudfront.net/tools/list-cloudfront-ips | Used for New Experience Web Admin user interface assets and storage configuration. |
Example of SecureAuth cloud services settings
 |
Important
Important information about MSG level encryption
The msg level encryption endpoints are deprecated (no longer appending /msg after .svc in the URL). Going forward, use https in the URL configuration.
The domain name system (DNS) resolution for the Geo load balanced URLs returns one of the listed IP addresses. This depends on the geographic location of the DNS resolver (client). To support SecureAuth cloud services site failover, you'll need to allow all IP addresses for the URL in the firewall rules.
Geo load balanced URL | IP address | Description of SecureAuth cloud services configuration |
|---|---|---|
us-certs.secureauth.com us-nge-cloud.secureauth.com | 75.2.72.232 99.83.164.204 |
|
us-cloud.secureauth.com | 75.2.72.232 99.83.164.204 | The following URL configurations are applicable to the Identity Platform release 9.3 or earlier.
|
us-trx.secureauth.com | 75.2.50.208 99.83.150.226 |
|
Example of SecureAuth cloud services settings
 |
Important
Important information about MSG level encryption
The msg level encryption endpoints are deprecated (no longer appending /msg after .svc in the URL). Going forward, use https in the URL configuration.
Test the Identity Platform endpoint availability
To verify that these endpoints are available from the Identity Platform instance, browse (from the instance) to the following URLs:
SecureAuth cloud overview
Hosted services for SecureAuth are located in two physical data centers, SecureAuth US-East and SecureAuth US-West; and are redundant at the site and service levels operating in SSAE16 Type II certified hosting facilities, providing a secure, highly available (redundant) infrastructure, which includes cooling, power, network, and internet connectivity.
Also implemented is an industry leading, cloud-based, redundant geo-location load balancing solution to ensure that the Identity Platform instance and SecureAuth cloud access communications are routed to the most efficient facility and, in the event of a site level outage, all communications are seamlessly transferred to the SecureAuth hosted services backup facility.
Each SecureAuth hosted services facility includes load balanced web services hosting APIs providing SMS, TTS, Push, Push-to-Accept OTP services, Threat Intelligence Services, and X.509 certificate signing services; redundant HSM (hardware security module) protected certificate authorities; and clustered (fail-over) database services supported by redundant, back-end services (i.e. LDAP Directory, DNS, Firewall, IDS/IDP, content inspection, etc.).
Secure communications from the Identity Platform instance, SecureAuth cloud access to SecureAuth cloud are enabled via TLS / transport-level encryption over TCP Port 443 for HTTPS.
 |
Transport Layer Security
Transport Layer Security (TLS), a cryptographic protocol, is designed to provide communications security over a network. Using X.509 certificates, asymmetric cryptography is employed to verify the relationship between a certificate and its owner, and to negotiate a symmetric session key.
SecureAuth cloud services
The Identity Platform instance and cloud access portals communicate with SecureAuth cloud for the following services:
Service | Purpose |
|---|---|
X.509 Certificate Services (SHA 1 and SHA 2) | Issue user certificates. |
Telephony Service (text-to-speech) | Deliver OTPs via voice call to user's phone number. |
SMS Service | Deliver one-time passcodes (OTPs) via SMS / text message to user's mobile phone number. |
Push Service | Deliver OTPs via Push Notification to user's mobile device and / or deliver mobile login requests (Approve / Deny) via SecureAuth Authenticate App to user's mobile device. |
Link-to-Accept | Deliver SMS text messages to user's mobile device. The link in emails and SMS text messages point to SecureAuth cloud. |
Phone Number Fraud Prevention Service | Retrieve user's phone number profile to use in phone number blocking. |
Geo-location Service | Retrieve IP address geo-location (known as Dynamic Perimeter) information to use in Adaptive Authentication analysis. |
SecureAuth Threat Service | Retrieve IP address reputation / threat score to use in Adaptive Authentication analysis. |
App Enrollment Service | Generate QR code to use in Multi-Factor App Enrollment (SecureAuth Authenticate App). |
SecureAuth Authenticate App v5.3+
URLs supported for push notifications and device enrollment QR codes
A complete callback URL is included in the API payload for device enrollment QR codes and Push-to-Accept Notifications. When responding to either a QR code device enrollment request or Push-to-Accept request, the SecureAuth Authenticate App returns the URL with a DNS prefix such as "us1-". For example:
"https://us1-cloud.secureauth.com/mobileservice/api/v1/pushaccept"