SecureAuth cloud services

The SecureAuth® Identity Platform, end user browsers, and registered mobile devices connect with the SecureAuth cloud services to provide multi-factor authentication capabilities

Allowed URLs and IP addresses

This topic contains the allowed URLs and IP addresses you'll need when configuring the Identity Platform, servers, and devices.

Refer to the section appropriate for your product release for the list of allowed URLs and IP addresses.

You can also download the complete list of URLs and IP addresses: sa-idp-allowlist.json

The domain name system (DNS) resolution for the geo load balanced URLs returns one of the listed IP addresses, depending on the geographic location of the DNS resolver (client). To support SecureAuth cloud services site failover, allow all IP addresses for the URL in the firewall rules.

For Identity Platform release 19.07 or later

The domain name system (DNS) resolution for the Geo load balanced URLs returns one of the listed IP addresses. This depends on the geographic location of the DNS resolver (client). To support SecureAuth cloud services site failover, you'll need to allow all IP addresses for the URL in the firewall rules.

us-certs.secureauth.com / nge-cloud.secureauth.com

Purpose: Used for SHA-2 RSA (384) certificate services

IP Addresses:

75.2.72.232
99.83.164.204

us-services.secureauth.com

Purpose: Used for cloud services in the System Info tab:

Telephony URL – Telephony Service (text-to-speech) to deliver one-time passcodes by voice call to user's phone number.
SMS URL – SMS Service to deliver one-time passcodes by SMS / text message to user's mobile phone number.
Push URL – Push Service to deliver one-time one-time passcodes in any of the following ways:
- Push Notification to user's mobile device
- Deliver mobile login requests (Accept / Deny) via SecureAuth Authenticate App to user's mobile device
Link-to-Accept URL – Link-to-Accept to deliver SMS text messages to user's mobile device. The link in emails and SMS text messages point to SecureAuth cloud.
Phone Fraud Service URL – Phone Number Fraud Prevention Service to retrieve user's phone number profile to use in phone number blocking.
Geo-Location URL – Geo-location Service to retrieve IP address geo-location (known as Dynamic Perimeter) information to use in Adaptive Authentication analysis.
SecureAuth Threat Service – SecureAuth Threat Service to retrieve IP address reputation / threat score to use in Adaptive Authentication analysis.

18.208.0.0/13
52.95.245.0/24
54.196.0.0/15
216.182.224.0/21
216.182.232.0/22
107.20.0.0/14
99.77.128.0/24
67.202.0.0/18
184.73.0.0/16
3.80.0.0/12
54.80.0.0/13
3.224.0.0/12
54.221.0.0/16
54.156.0.0/14
54.236.0.0/15
54.226.0.0/15
162.250.237.0/24
52.90.0.0/15
100.24.0.0/13
54.210.0.0/15
54.198.0.0/16
52.20.0.0/14
52.94.201.0/26
52.200.0.0/13
54.160.0.0/13
162.250.238.0/23
35.153.0.0/16
52.70.0.0/15
52.94.248.0/28
99.77.254.0/24
52.54.0.0/15
54.152.0.0/16
54.92.128.0/17
52.0.0.0/15
184.72.128.0/17
23.20.0.0/14
18.204.0.0/14
54.88.0.0/14
162.250.236.0/24
99.77.129.0/24
54.204.0.0/15
52.86.0.0/15
52.44.0.0/15
18.232.0.0/14
54.174.0.0/15
50.16.0.0/15
35.168.0.0/13
99.77.191.0/24
3.208.0.0/12
174.129.0.0/16
72.44.32.0/19
34.224.0.0/12
54.224.0.0/15
75.101.128.0/17
34.192.0.0/12
54.208.0.0/15
54.242.0.0/15
216.182.238.0/23
54.234.0.0/15
54.144.0.0/14
52.2.0.0/15
184.72.64.0/18
204.236.192.0/18
15.193.6.0/24
52.4.0.0/14
208.86.88.0/23
44.192.0.0/11
52.72.0.0/15
52.95.255.80/28
50.19.0.0/16
54.172.0.0/15
52.95.255.112/28
99.77.253.0/24
52.94.249.64/28
52.94.116.0/22
52.40.0.0/14
54.214.0.0/16
15.193.7.0/24
54.244.0.0/16
52.94.248.96/28
52.32.0.0/14
52.10.0.0/15
54.200.0.0/15
35.160.0.0/13
35.155.0.0/16
18.236.0.0/15
70.224.192.0/18
52.46.180.0/22
54.68.0.0/14
52.95.230.0/24
54.184.0.0/13
52.12.0.0/15
52.88.0.0/15
100.20.0.0/14
18.246.0.0/16
34.208.0.0/12
54.212.0.0/15
54.148.0.0/15
99.77.130.0/24
52.36.0.0/14
54.202.0.0/15
52.75.0.0/16
52.24.0.0/14
54.218.0.0/16
52.95.247.0/24
54.245.0.0/16
44.224.0.0/11
50.112.0.0/16
13.248.146.241
76.223.20.206

Alternatively, you can view the IP addresses listed in the Amazon EC2 service table. Take note that it lists all AWS IP addresses, and you only want to allow the IPs within EC2, us-east-1, and us-west-2 categories: ip-ranges.amazonaws.com/ip-ranges.json

us-audit.secureauth.com

Purpose: Used by SecureAuth servers to receive customer logs for dashboard services and user risk services.

IP Addresses:

18.208.0.0/13
52.95.245.0/24
54.196.0.0/15
216.182.224.0/21
216.182.232.0/22
107.20.0.0/14
99.77.128.0/24
67.202.0.0/18
184.73.0.0/16
3.80.0.0/12
54.80.0.0/13
3.224.0.0/12
54.221.0.0/16
54.156.0.0/14
54.236.0.0/15
54.226.0.0/15
162.250.237.0/24
52.90.0.0/15
100.24.0.0/13
54.210.0.0/15
54.198.0.0/16
52.20.0.0/14
52.94.201.0/26
52.200.0.0/13
54.160.0.0/13
162.250.238.0/23
35.153.0.0/16
52.70.0.0/15
52.94.248.0/28
99.77.254.0/24
52.54.0.0/15
54.152.0.0/16
54.92.128.0/17
52.0.0.0/15
184.72.128.0/17
23.20.0.0/14
18.204.0.0/14
54.88.0.0/14
162.250.236.0/24
99.77.129.0/24
54.204.0.0/15
52.86.0.0/15
52.44.0.0/15
18.232.0.0/14
54.174.0.0/15
50.16.0.0/15
35.168.0.0/13
99.77.191.0/24
3.208.0.0/12
174.129.0.0/16
72.44.32.0/19
34.224.0.0/12
54.224.0.0/15
75.101.128.0/17
34.192.0.0/12
54.208.0.0/15
54.242.0.0/15
216.182.238.0/23
54.234.0.0/15
54.144.0.0/14
52.2.0.0/15
184.72.64.0/18
204.236.192.0/18
15.193.6.0/24
52.4.0.0/14
208.86.88.0/23
44.192.0.0/11
52.72.0.0/15
52.95.255.80/28
50.19.0.0/16
54.172.0.0/15
52.95.255.112/28
99.77.253.0/24
52.94.249.64/28
52.94.116.0/22
52.40.0.0/14
54.214.0.0/16
15.193.7.0/24
54.244.0.0/16
52.94.248.96/28
52.32.0.0/14
52.10.0.0/15
54.200.0.0/15
35.160.0.0/13
35.155.0.0/16
18.236.0.0/15
70.224.192.0/18
52.46.180.0/22
54.68.0.0/14
52.95.230.0/24
54.184.0.0/13
52.12.0.0/15
52.88.0.0/15
100.20.0.0/14
18.246.0.0/16
34.208.0.0/12
54.212.0.0/15
54.148.0.0/15
99.77.130.0/24
52.36.0.0/14
54.202.0.0/15
52.75.0.0/16
52.24.0.0/14
54.218.0.0/16
52.95.247.0/24
54.245.0.0/16
44.224.0.0/11
50.112.0.0/16
75.2.60.253
99.83.226.254

us-trx.secureauth.com

Purpose: Used to deliver transaction operation communications to the SecureAuth cloud environment:

Trx Log Service URL – Transaction log service to deliver transaction operation communications to the SecureAuth cloud environment.
Trx Log Mode Code – Transaction log mode code automatically assigned to the instance during the build process to indicate whether the logging mode is transaction or user based.
Trx Log Disable Code – Transaction Log disable code provided by SecureAuth Support to temporarily disable transaction web service calls.

IP Addresses:

75.2.50.208
99.83.150.226

us-polaris.secureauth.com

Purpose: Used for New Experience Web Admin interface assets

IP Addresses:

15.197.205.255
3.33.245.231

sparkles-content.prod.secureauth.com

Purpose: New Experience Web Admin user interface assets and storage configuration.

IP Addresses:

To view the page of listed IP addresses, see CloudFront IP list

your-tenant-name.secureauth.com

Purpose: IDP services main endpoint (Cloudflare-protected tenant endpoints).

IPv4 Addresses:

173.245.48.0/20
103.21.244.0/22
103.22.200.0/22
103.31.4.0/22
141.101.64.0/18
108.162.192.0/18
190.93.240.0/20
188.114.96.0/20
197.234.240.0/22
198.41.128.0/17
162.158.0.0/15
104.16.0.0/13
104.24.0.0/14
172.64.0.0/13
131.0.72.0/22

IPv6 Addresses:

2400:cb00::/32
2606:4700::/32
2803:f800::/32
2405:b500::/32
2405:8100::/32
2a06:98c0::/29
2c0f:f248::/32

For the latest Cloudflare IP ranges, refer to:

IPv4: https://www.cloudflare.com/ips-v4/
IPv6: https://www.cloudflare.com/ips-v6/

Example of SecureAuth cloud services settings for 19.07 and later

Important

Important information about MSG level encryption

The msg level encryption endpoints are deprecated (no longer appending /msg after .svc in the URL). Going forward, use https in the URL configuration.

For SecureAuth IdP release 9.3 or earlier

us-certs.secureauth.com / nge-cloud.secureauth.com

Purpose: Used for SHA-2 RSA (384) certificate services

IP Addresses:

75.2.72.232
99.83.164.204

us-cloud.secureauth.com

Purpose: Used for cloud services for SecureAuth IdP 9.3 or earlier:

Telephony URL – Telephony Service (text-to-speech) to deliver one-time passcodes by voice call to user's phone number.
SMS URL – SMS Service to deliver one-time passcodes by SMS / text message to user's mobile phone number.
Push URL – Push Service to deliver one-time one-time passcodes in any of the following ways:
- Push Notification to user's mobile device
- Deliver mobile login requests (Accept / Deny) via SecureAuth Authenticate App to user's mobile device
Link-to-Accept URL – Link-to-Accept to deliver SMS text messages to user's mobile device. The link in emails and SMS text messages point to SecureAuth cloud.
Phone Fraud Service URL – Phone Number Fraud Prevention Service to retrieve user's phone number profile to use in phone number blocking.
Geo-Location URL – Geo-location Service to retrieve IP address geo-location (known as Dynamic Perimeter) information to use in Adaptive Authentication analysis.
SecureAuth Threat Service – SecureAuth Threat Service to retrieve IP address reputation / threat score to use in Adaptive Authentication analysis.

IP Addresses:

75.2.72.232
99.83.164.204

us-trx.secureauth.com

Purpose: Used to deliver transaction operation communications to the SecureAuth cloud environment:

Trx Log Service URL – Transaction log service to deliver transaction operation communications to the SecureAuth cloud environment.
Trx Log Mode Code – Transaction log mode code automatically assigned to the instance during the build process to indicate whether the logging mode is transaction or user based.
Trx Log Disable Code – Transaction Log disable code provided by SecureAuth Support to temporarily disable transaction web service calls.

IP Addresses:

75.2.50.208
99.83.150.226

Example of SecureAuth cloud services settings for 9.3 and earlier

Important

Important information about MSG level encryption

The msg level encryption endpoints are deprecated (no longer appending /msg after .svc in the URL). Going forward, use https in the URL configuration.

Test the Identity Platform endpoint availability

To verify that these endpoints are available from the Identity Platform instance, browse (from the instance) to the following URLs:

Instrafructure details

SecureAuth cloud services are hosted in two geographically separated, SSAE16 Type II certified data centers: US-East and US-West. Both facilities provide redundant infrastructure at the site and service levels, including power, cooling, network, and internet connectivity, to ensure high availability.

An industry-leading, cloud-based geo-location load balancing solution routes Identity Platform and SecureAuth cloud access communications to the most efficient facility. In the event of a site-level outage, all communications are seamlessly transferred to the backup facility.

Each SecureAuth data center includes:

Load-balanced web service APIs for SMS, TTS, Push, Push-to-Accept OTP, Threat Intelligence, and X.509 certificate signing services
Redundant hardware security module (HSM) protected certificate authorities
Clustered (failover) database services
Redundant backend services (LDAP Directory, DNS, Firewall, IDS/IDP, content inspection, etc.)

All communications between the Identity Platform, SecureAuth cloud access, and SecureAuth cloud services are secured via TLS/HTTPS over TCP Port 443

Transport Layer Security

Transport Layer Security (TLS), a cryptographic protocol, is designed to provide communications security over a network. Using X.509 certificates, asymmetric cryptography is employed to verify the relationship between a certificate and its owner, and to negotiate a symmetric session key.