Control exactly where your users and integrations can access Lumar from — and keep attackers out, even if they have valid credentials.
IP Restrictions let you define approved IP address ranges (in CIDR notation) for two distinct access types: user logins and service account/API connections. Any authentication attempt from an IP address outside your allowlist is blocked automatically.
Why this matters
Stolen passwords and leaked API keys are a common risk. What IP Restrictions give you is a second line of defence: even if an attacker obtains a valid session token or API key, they cannot use it from an unrecognised network. This is particularly valuable for protecting against:
- Credential theft and session hijacking ("Pass-the-Cookie" attacks), where attackers replay stolen session tokens from their own devices
- Leaked API keys, commonly exposed in source code, build logs, or public repositories, which can then be called from anywhere on the open internet
Two types of IP Restrictions
User allowlisting (SSO Connection)
Restricts user logins to approved networks. Users who sign in via SSO can only do so from IP ranges you have approved. This binds access to a trusted physical or network context, such as your office network or corporate VPN.
Service account and API/token restrictions
Restricts machine-to-machine authentication to specific infrastructure. API keys and service account tokens can only be used from the IP ranges you define, preventing misuse if a key is ever exposed outside your control.
How to set up User IP Restrictions
User IP restrictions are configured under SSO Connection in your account settings.
- In the left-hand navigation, go to Organisation > SSO Connection (note: this will only be visible if your account has SSO configured).
- Scroll down to the Allowlisted IP ranges section.
- Click Add IP range (top right of the table).
- Enter the IP range in CIDR notation (for example, 192.168.1.0/24) and add a descriptive label (for example, "London Office" or "Headquarters).
- Click Add.
Your new range appears in the table with the date it was added. You can configure up to 100 IP ranges per account.
Note: When group mappings are configured, user roles are assigned from SAML groups on login and cannot be edited directly in Lumar.
How to set up Service Account IP Restrictions
Service account IP restrictions are configured individually, per service account.
- In the left-hand navigation, go to Organisation > Service Accounts.
- Click the actions button for the service account you want to restrict and select IP Restrictions.
- Click Add IP range.
- Enter the IP range in CIDR notation and add a label to identify it (for example, "Production Server" or "CI Pipeline").
- Click Add.
The range is now listed in the table alongside the date it was added. Repeat for any additional ranges this service account should be permitted to call from.
Tips for getting set up
- Check your own IP first. Before saving any restriction, confirm that your current IP address falls within one of the ranges you are adding. Adding a range that excludes your own network will lock you out immediately.
- Use CIDR notation. A single IP address can be entered as /32 (for example, 203.0.113.42/32). A subnet, such as an office network, is typically /24 or broader.
- Label every range clearly. "London Office", "AWS us-east-1", "VPN exit node" are all more useful than "Range 1" when you need to audit or update entries later.
- Add your VPN range. If your team uses a corporate VPN for remote access, add the VPN's exit IP range so remote workers are not inadvertently blocked.
- Service accounts and API keys each have their own allowlist. Restrict each one to the specific infrastructure it needs to call from, rather than using a single broad range across all of them.
- You can configure up to 100 IP ranges per user allowlist and per service account.
Removing or editing an IP range
To remove an entry, locate the range in the relevant table and click the Actions menu (the three-dot icon on the right-hand side of the row). Select Delete and confirm. The restriction takes effect immediately.
Who can manage IP Restrictions?
IP Restrictions are an administrator-level setting. You must have an Admin role on the account to add, edit, or remove IP ranges.