22.10 Extending Authentication Schemes with Advanced Rules

Advanced Rules have been added to allow for extending an existing authentication policy.

Both Pre-Authentication and Post-Authentication rules can be applied although the following configurations are not supported by Post-Authentication Rules.

  • Two or more resources front ended by the same OHS/WebGate and protected by the same Authentication Scheme.

  • A Post-Authentication rule configured for one of the resources defined in step up authentication.

  • A user accesses a resource for which no Post-Authentication rule is configured followed by a resource for which a Post-Authentication rule is configured for step up authentication. In this case, the Post-Authentication rule configured for the resource is not effective.


Advanced Rules are part of the Adaptive Authentication Service for which a license is required. See About Adaptive Authentication Service.

Advanced Rules contain Boolean expressions. If there is more than one triggered outcome to an Authentication Scheme, the lowest execution order outcome will be chosen as the final outcome. Table 22-24 documents the attributes that need be defined when creating an Advanced Rule.

Table 22-24 Advanced Rules Attributes

Name Description


AuthnRule name. Name has to be unique within the checkpoint


Description of the rule

Execution Order

Order in which the outcome will be executed in cases of more than 1 outcome


Script; the user can configure condition based on the HTTP request header's availability and set the desired outcome


ID of the Authentication Scheme to which the rule applies. Access / Deny.


If the Deny Access option is selected, an error message, The requested URL was not found, is displayed.

See the following sections for details.

22.10.1 Advanced Rules Use Cases

You can configure advance rules for certain scenarios.

For the following use cases, configure Advanced Rules:

  • Non Browser Client - For user authentication, a form-based login page is presented through the browser for the user to complete. In some cases, a non-browser client (switches, routers and the like) might need to do basic authentication based on credentials passed via the request header. Non-browser client authentication can be configured as a pre-authentication Advanced Rule only. To support non-browser client authentication, configure the desired condition in an Authentication Rule (based on the HTTP request header's availability) and set the desired outcome.

  • Windows Native Authentication Option - An Advanced Rule can be configured to allow for switching between Windows Native Authentication (WNA) and form-based user authentication depending on whether the user comes thru VPN or a corporate network.

  • User Authentication Scheme Option - An Advanced Rule can be configured to allow the user to choose the method of authentication. The choice would be passed as a request parameter.

  • Second Factor Authentication - An Advanced Rule can be configured to allow for Second Factor Authentication (SFA) based on defined user or request attributes. For details on SFA, see Introducing the Adaptive Authentication Service.

Table 22-25 contains examples of how the conditions might be configured in these Advanced Rules use cases.

Table 22-25 Sample Advanced Rules

Sample Rule Sample Jython Script-based Condition Notes

Switching authentication scheme based on private or public IP rule

location.clientIP.startswith('10.') or location.clientIP.startswith('172.16') or location.clientIP.startswith('192.168')

This rule can be used in Pre and Post authentication checkpoints

Black listed IP

location.clientIP in ['', '', '']

This rule can be used in Pre and Post authentication checkpoints

Client Browser Type

request.userAgent.lower().find('firefox') > 0

This rule can be used in Pre and Post authentication checkpoints

Blocking access to user having user attribute 'description' equals 'test'

user.userMap['description'] == 'test'

This rule can be used only in Post authentication checkpoints

Non browser client


This rule can be used only in Pre authentication checkpoints

Customer HTTP Header value

request.requestMap['param'] == 'test'

This rule can be used in Pre and Post authentication checkpoints

Switching authentication scheme based on IP address in range


This rule can be used in Pre and Post authentication checkpoints

22.10.2 Context Data for Advanced Rules

Before executing the Authentication Condition, the Access Manager server prepares a request context using the available data (to construct a Boolean expression based condition).

The following tables describe the various context data details.

Table 22-26 Request Context Data

Attribute Name Description


Map of all the request headers, parameters and post data values. This example can get the custom-header key from request header and compare it with value 'test'.

request.requestMap['custom-header'].lower().find('test') > 0


Map of matched resource details


Returns 'Accept' header value


Returns 'Accept-Charset' header value


Returns 'Accept-Encoding' header value


Returns 'Accept-Language' header value


Returns 'Authorization' header value


Returns 'Connection' header value


Returns 'ContentLength' header value


Returns 'Cookie' header value


Returns 'Host' header value


Returns 'ifModifiedSince' header value


Returns 'Pragma' header value


Returns 'Referer' header value


Returns 'UserAgent' header value


Returns matched Resource's Host value


Returns matched Resource's Port value


Returns matched Resource's Operation value


Returns matched Resource's QueryString


Returns matched Resource's name


Returns matched Resource's Type


Returns matched Resource's URL; for example, if 'landingPage' is in request.resourceURL, condition will evaluate to true if resourceURL has landingPage in it.

isIPinRange('start IP' ,'end IP')

Evaluates to true if location.clientIP is in the specified range. Example:


Table 22-27 Location Context Data

Attribute Name Description


Map of all the location data values; for example:

location.locationMap['CLIENT_IP'] == ''


Returns client IP address; for example:



Returns Proxy IP address

Table 22-28 Session Context Data

Attribute Name Description


Map of all the session data values; for example:

session.sessionMap['count'] > 2;


Returns number of sessions for the current user; for example:session.count > 2

Table 22-29 User Context Data

Attribute Name Description


Map of all the user profile data; for example: user.userMap['email'] == 'john.joe@example.com'