This page lists relevant IP addresses for SRAM, in case you need to allow them in a firewall.
Egress IP addresses
Some protocols, listed below, require your application to be able to connect to SRAM.
Allow from your application to SRAM egress:
- 18.184.55.203
- 3.126.192.219
- 2a05:d014:3c2:1300::20
- 2a05:d014:3c2:1301::20
Effective at some time after October 1st, 2024, we will move our servers to a new infrastructure. Please include the following IP addresses in your firewall configuration:
- 195.169.124.192/26
- 145.101.112.192/26
- 2001:610:0:8010::/64
- 2001:610:188:148::/64
OIDC
For OIDC, your application needs to be able to talk to the OIDC server for two purposes:
- to fetch the OIDC configuration file. You need this information if you want to connect an application to SRAM using the OpenID Connect protocol.
- to fetch information about users logging in (on each authentication).
For both of these, your applications needs to be able to reach the host proxy.sram.surf.nl over HTTPS on port 443/TCP.
The IP addresses for OIDC differ from those for the other protocols.
Allow from your application to SRAM egress:
- 3.124.134.36
- 18.192.15.36
- 18.194.167.102
- 2a05:d014:c3:8400::/64
- 2a05:d014:c3:8401::/64
- 2a05:d014:c3:8402::/64
Effective at some time after October 1st, 2024, we will move our servers to a new infrastructure. Please include the following IP addresses in your firewall configuration:
- 195.169.124.192/26
- 145.101.112.192/26
- 2001:610:0:8010::/64
- 2001:610:188:148::/64
SAML metadata
Egress
SAML metadata is required for SAML-based applications to fetch configuration to connect to SRAM. Depending on your SAML implementation, the metadata is refreshed periodically or fetched once while setting up the application. SAML metadata files for SRAM are located on meta.sram.surf.nl.
Allow the egress IP addresses.
Ingress
In addition, SRAM will periodically fetch the SAML metadata from your application. This is done using HTTPS on port 443/TCP.
Allow from SRAM to your application ingress:
- 18.194.195.14/32
- 2a05:d014:c3:8400::/56
LDAP
The SRAM LDAP endpoint is located on ldap.sram.surf.nl. All LDAP communication is done via LDAPs on port 636/TCP.
Allow the egress IP addresses.
Token introspection
The SRAM token introspection endpoint is located on https://sram.surf.nl/api/tokens/introspect.
Allow the egress IP addresses.
PAM web login
Allow the egress IP addresses.
Ingress IP addresses
SCIM, listed below, requires SRAM to be able to connect to your application.
Allow from SRAM to your application ingress:
- 52.58.250.99
- 3.124.41.47
- 2a05:d014:3c2:1316::/64
- 2a05:d014:3c2:1317::/64
Effective at some time after October 1st, 2024, we will move our servers to a new infrastructure. Please include the following IP addresses in your firewall configuration:
- 195.169.124.192/26
- 145.101.112.192/26
- 2001:610:0:8010::/64
- 2001:610:188:148::/64
SCIM
The SRAM SCIM interface can be configured to push updates to a remote SCIM server. All SCIM traffic uses HTTPS on the port you have configures for your application is SRAM (typically 443/TCP).
Allow the ingress IP addresses.