Sun logo      Previous      Contents      Index      Next     

Sun ONE Portal Server, Secure Remote Access 6.2 Administrator's Guide

Chapter 8
Configuring URL Access Control

This chapter describes how to allow or deny access to the end-user from the Sun™ ONE Identity Server administration console. under SRA Configuration, Access List,. through the gateway for specific URLs.

Note

Click Documentation at the top right corner of the Identity Server administration console, and click SRA Help for a quick reference on all the Secure Remote Access attributes.

To configure URL access control, do the following:

  1. Log in to the Identity Server administration console as administrator.
  2. Select the Service Configuration tab from the administration console.
  3. Click the arrow next to Access List under SRA Configuration.

    4. The Access List page displays.

From here you can perform the following tasks:

Set up a URL Deny List

You can specify the list of URLs that end-users cannot access through the gateway using this field.

The gateway checks the URL Deny List before checking the URL Allow List.

    To Set up the URL Deny List
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Service Configuration tab.
  3. Click the arrow next to Access List under SRA Configuration.

    4. The Access List page displays.

  4. Specify the URL for which you want to deny access through the gateway in the URL Deny List field. The format for entering the URL is:

    5. http://abc.siroe.com

  5. Click Add.

    6. The URL is added to the URL Deny List.

    You can also use regular expressions such as http://*.siroe.com. In this case, users are denied access to all hosts in the siroe.com domain.

  6. Click Save to record the changes.

Set up a URL Allow List

You can specify all the URLs that can be accessed by the end-user through the gateway. By default, this list has a wild card entry (*), which means that all URLs can be accessed. If you want to allow access to all URLs, and restrict access only to specific URLs, add the restricted URLs to the URL Deny List. In the same way, if you want to allow access only to specific URLs, leave the URL Deny List blank, and specify the required URLs in the URL Allow List.

The gateway checks the URL Deny List before checking the URL Allow List.

    To Set up the URL Allow List
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Service Configuration tab.
  3. Click the arrow next to Access List under SRA Configuration.

    4. The Access List page displays.

  4. Specify the URL for which you want to allow access through the gateway in the URL Allow List field. The format for entering the URL is:

    5. http://abc.siroe.com

  5. Click Add.

    6. The URL is added to the URL Allow List.

    Note

    The URL Allow List has a * by default which means that all URLs can be accessed through the gateway.

  6. Click Save to record the changes.

Manage Single Sign-On

The Access List service in Secure Remote Access allows you to control the single sign-on feature for various hosts. But for the single sign-on feature to be available, the Enable HTTP Basic Authentication option in the gateway service must be enabled. See "Enable HTTP and HTTPS Connections".

With the Access List service, you can disable single sign-on for certain hosts. This means that an end user needs to authenticate each time to connect to the hosts that require HTTP basic authentication, unless you enable single sign-on per session.

If you have disabled single sign-on for a certain host, the user can reconnect to that host within a single Portal Server session. For example, assume that you have disabled single sign-on to abc.sesta.com. The first time the user connects to this site, authentication is required. The user may browse other pages and return to this page later, and if the page is in the same Portal Server session, authentication is not required.

A user can also configure these attributes using the limited administration console.

    To Disable SSO for Hosts
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Service Configuration tab.
  3. Click the arrow next to Access List under SRA Configuration.

    4. The Access List page displays.

  4. Specify the hosts for which you want to disable SSO in the Hosts for which SSO is disabled field.

    5. Specify the host name in the format abc.siroe.com.

  5. Click Add.

    6. The hostname is added to the list.

  6. Click Save to record the changes.
    To Enable SSO per Session
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Service Configuration tab.
  3. Click the arrow next to Access List under SRA Configuration.

    4. The Access List page displays.

  4. Select the Enable SSO per session checkbox to enable a single-sign on session.
  5. Click Save to record the changes.
    To Specify Authorization Levels
  1. Log in to the Identity Server administration console as administrator.
  2. Select the Service Configuration tab.
  3. Click the arrow next to Access List under SRA Configuration.

    4. The Access List page displays.

  4. Scroll to the AllowedAuth levels field.
  5. Enter the allowed authorizations. Use an asterisk to allow all levels.
  6. Click Save to record the changes.

Customize the Access List Interface

Edit the access list properties file to change the labels on the access list user interface in the Identity Server administration console. Edit the file:

portal-server-install-root/SUNWam/locale/SRAGatewayAccess.properties

The following sample shows the lines that can be customized:

sunPortalGatewayAccessServiceDescription=Access List

d02=URL Allow List

d05=Policy to Enable/Disable SSO

d04=Enable SSO per Session

d03=Hosts for Which SSO is Disabled

d01=URL Deny List

d06=Allowed Auth levels

You can change the label text, but not the number associated with the text.



Previous      Contents      Index      Next     

Copyright 2003 Sun Microsystems, Inc. All rights reserved.