Conditions

A condition allows you to define constraints on the policy. For example, if you want to limit access to a paycheck application, you can define a condition specifying the hours; or, you may wish to define a condition that only grants access if the request originates from a given set of IP addresses or from a company intranet. For example, to configure http://org.example.com/hr/*.jsp so that it can only be accessed by users from org.example.com between 9 a.m. to 5 p.m., use an IP Condition along with a Time Condition. By specifying the rule resource as http://org.example.com/hr/*.jsp, the policy would apply to all the JSPs under http://org.example.com/hr including those in the sub directories. The default conditions are:

Active Session Time

Sets the condition based on user session data.

Max Session Time

Specifies the maximum duration to which the policy is applicable starting from when the session was initiated.

Terminate Session

If selected, the user session will be terminated if the session time exceeds the maximum allowed as defined in the Max Session Time field.

Authentication by Module Chain

The policy applies if the user has successfully authenticated to the authentication chain in the specified realm. If no realm is specified, authentication to any realm at the authentication chain will satisfy the condition.

Authentication by Module Instance

The policy applies if the user has successfully authenticated to the instantiated authentication module in the specified realm. If no realm is specified, authentication to any realm at the authentication module will satisfy the condition.

Authentication Level (greater than or equal to)

The policy applies if the user’s authentication level is greater than or equal to the Authentication Level set in the condition. This attribute indicates the level of trust for authentication within the specified realm.

Authentication Level (less than or equal to)

The policy applies if the user’s authentication level is less than or equal to the Authentication Level set in the condition. This attribute indicates the level of trust for authentication within the specified realm.

Current Session Properties

Decides whether a policy is applicable to the request based on values set in the user's OpenSSO Enterprise session. During policy evaluation, the condition returns true only if the user's session has every property value defined in the condition. For properties defined in the condition with multiple values, it is sufficient if the token has at least one value for the property.

---

Note –

Session properties set by OpenSSO are prefixed with am.protected to ensure that they cannot be edited by the Client SDK.

---

Identity Membership

Checks if the invocator uuid specified in the environment is a member of at least one AMIdentity object specified in the Condition. The uuid invocator is specified as the key value of Condition. INVOCATOR_PRINCIPAL_UUID in the environment parameter of the evaluation request. This is primarily used to apply authorization rules for WSC (Web Service Client). The identity of the WSC is passed as the value of uuid invocator.

IP Address/DNS Name

Sets the condition based on a range of IP Addresses. The fields you can define are:

IP Address From/To

Specifies the range of the IP address.

DNS Name

Specifies the DNS name. This field can be a fully qualified hostname or a string in one of the following formats:

domainname

*.domainname

LDAP Filter Condition

The policy is applicable when the defined LDAP filter locates the user entry in the LDAP directory that was specified in the Policy Configuration service. This is only applicable within the realm that the policy is defined.

Time (day, date, time, and timezone)

Sets the condition based on time constraints. The fields are:

Date From/To

Specifies the range of the date.

Time

Specifies the range of time within a day.

Day

Specifies a range of days.

Timezone

Specifies a timezone, either standard or custom. Custom timezones can only be a timezone ID recognized by Java (for example, PST). If no value is specified, the default value is the Timezone set in the OpenSSO Enterprise JVM.

If a request for access is negated as determined by the condition, an advice message can be produced to indicate why. Advice messages are propagated in the policy decision and sent to the policy agent which retrieves the advice and takes appropriate action — for example, redirecting the user to the Authentication Service to authenticate to a higher level. If, in this example, the user successfully authenticates to a higher level the policy might then become applicable. See com.sun.identity.policy in the Sun OpenSSO Enterprise 8.0 Java API Reference for more information.

Custom conditions can also produce advices. However, the policy agents respond only for Auth Level Advice and Auth Scheme Advice. Custom agents can be written to respond to more advices and existing OpenSSO Enterprise policy agents can be extended to do the same. See the Sun OpenSSO Enterprise Policy Agent 3.0 User’s Guide for J2EE Agents for more information.