--- title: Configuring the CIDR Authentication Selector description: The CIDR Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on the IP address of an incoming single sign-on request. component: pingfederate version: 13.1 page_id: pingfederate:administrators_reference_guide:pf_config_cidr_auth_selector canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_config_cidr_auth_selector.html llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md revdate: July 5, 2022 section_ids: about-this-task: About this task steps: Steps example: Example: result: Result --- # Configuring the CIDR Authentication Selector The CIDR Authentication Selector enables PingFederate to choose configured authentication sources or other selectors based on the IP address of an incoming single sign-on request. PingFederate doesn't limit the number of CIDR ranges you can create, but large numbers of ranges can affect performance. ## About this task Use this selector in authentication policies to choose from authentication sources that share a similar level of assurance, such as among multiple HTML Form Adapter instances or between a Kerberos Adapter instance and an X.509 identity provider (IdP) Adapter instance. For example, use this selector in authentication policies to route internal requests to a Kerberos Adapter instance. ## Steps 1. Go to **Authentication > Policies > Selectors** to open the **Selectors** page. 2. On the **Selectors** page, click **Create New Instance** to start the **Create Authentication Selector Instance** workflow. 3. On the **Type** tab, configure the basics of this authentication selector instance. 4. On the **Authentication Selector** tab, define a network range: 1. Click **Add a new row to 'Networks'** and enter a network range. 2. (Optional) In the **Description** field, enter a description for the network range. 5. Click **Update**. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | To see the **Add a new row to 'Networks'** option, ensure you have set the **Authentication Selector Instance** type to **CIDR Authentication Selector** on the **Type** tab. | ### Example: * Sample IPv4 network range Enter `192.168.101.0/24` to cover 256 IPv4 addresses, ranging from `192.168.101.0` through `192.168.101.255`. * Sample IPv6 network range Enter `2001:db8::/123` to cover 32 IPv6 addresses, ranging from `2001:db8::` through `2001:db8::1f`. 6. (Optional) Repeat the previous step to add more network ranges. | | | | - | ------------------------------ | | | Display order does not matter. | | | | | - | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | If you want to include all IPv4 addresses for testing, add two separate ranges: `0.0.0.0/1` and `128.0.0.0/1`. The CIDR Authentication Selector interprets a specification of `0.0.0.0/0` as an empty range rather than as a wildcard for all addresses. | Click **Edit**, **Update**, or **Cancel** to make or undo a change to an existing entry. Click **Delete** or **Undelete** to remove an existing entry or cancel the removal request. 7. (Optional) Enter a **Result Attribute Name** value. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | | This field provides a means to indicate in the SAML assertion whether a network range was matched during processing; the value is either `Yes` or `No`. Any authentication sources configured as a result of this authentication selector must have their attribute contract extended with the value of the **Result Attribute Name** field to use its value to fulfill an attribute contract or for issuance criteria. | 8. Complete the configuration. 1. On the **Summary** tab, click **Done**. 2. On the **Selectors** page, click **Save**. ## Result When you place this selector instance as a checkpoint in an authentication policy, it forms two policy paths: **Yes** and **No**. If the IP address of an incoming single sign-on (SSO) request matches one of the defined network ranges, the selector returns true. The policy engine regains control of the request and proceeds with the policy path configured for the result value of **Yes**. If the IP address of an incoming SSO request matches none of the defined network ranges, the selector returns false. The policy engine regains control of the request and proceeds with the policy path configured for the result value of **No**.