22.10 Extending Authentication Schemes with Advanced Rules

Advanced Rules have been added to allow for extending an existing authentication policy.

Both Pre-Authentication and Post-Authentication rules can be applied although the following configurations are not supported by Post-Authentication Rules.

Two or more resources front ended by the same OHS/WebGate and protected by the same Authentication Scheme.
A Post-Authentication rule configured for one of the resources defined in step up authentication.
A user accesses a resource for which no Post-Authentication rule is configured followed by a resource for which a Post-Authentication rule is configured for step up authentication. In this case, the Post-Authentication rule configured for the resource is not effective.

Note:

Advanced Rules are part of the Adaptive Authentication Service for which a license is required. See About Adaptive Authentication Service.

Advanced Rules contain Boolean expressions. If there is more than one triggered outcome to an Authentication Scheme, the lowest execution order outcome will be chosen as the final outcome. Table 22-24 documents the attributes that need be defined when creating an Advanced Rule.

Table 22-24 Advanced Rules Attributes

Name	Description
Name	AuthnRule name. Name has to be unique within the checkpoint
Description	Description of the rule
Execution Order	Order in which the outcome will be executed in cases of more than 1 outcome
Condition	Script; the user can configure condition based on the HTTP request header's availability and set the desired outcome
Outcome	ID of the Authentication Scheme to which the rule applies. Access / Deny. Note: If the Deny Access option is selected, an error message, `The requested URL was not found`, is displayed.

See the following sections for details.

22.10.1 Advanced Rules Use Cases

You can configure advance rules for certain scenarios.

For the following use cases, configure Advanced Rules:

Non Browser Client - For user authentication, a form-based login page is presented through the browser for the user to complete. In some cases, a non-browser client (switches, routers and the like) might need to do basic authentication based on credentials passed via the request header. Non-browser client authentication can be configured as a pre-authentication Advanced Rule only. To support non-browser client authentication, configure the desired condition in an Authentication Rule (based on the HTTP request header's availability) and set the desired outcome.
Windows Native Authentication Option - An Advanced Rule can be configured to allow for switching between Windows Native Authentication (WNA) and form-based user authentication depending on whether the user comes thru VPN or a corporate network.
User Authentication Scheme Option - An Advanced Rule can be configured to allow the user to choose the method of authentication. The choice would be passed as a request parameter.
Second Factor Authentication - An Advanced Rule can be configured to allow for Second Factor Authentication (SFA) based on defined user or request attributes. For details on SFA, see Introducing the Adaptive Authentication Service.

Table 22-25 contains examples of how the conditions might be configured in these Advanced Rules use cases.

Table 22-25 Sample Advanced Rules

Sample Rule	Sample Jython Script-based Condition	Notes
Switching authentication scheme based on private or public IP rule	location.clientIP.startswith('10.') or location.clientIP.startswith('172.16') or location.clientIP.startswith('192.168')	This rule can be used in Pre and Post authentication checkpoints
Black listed IP	location.clientIP in ['130.35.50.115', '130.35.50.112', '130.35.50.113']	This rule can be used in Pre and Post authentication checkpoints
Client Browser Type	request.userAgent.lower().find('firefox') > 0	This rule can be used in Pre and Post authentication checkpoints
Blocking access to user having user attribute 'description' equals 'test'	user.userMap['description'] == 'test'	This rule can be used only in Post authentication checkpoints
Non browser client	request.authorization.lower().startswith('basic')	This rule can be used only in Pre authentication checkpoints
Customer HTTP Header value	request.requestMap['param'] == 'test'	This rule can be used in Pre and Post authentication checkpoints
Switching authentication scheme based on IP address in range	location.isIPinRange('192.35.50.180','192.35.50.188')	This rule can be used in Pre and Post authentication checkpoints

22.10.2 Context Data for Advanced Rules

Before executing the Authentication Condition, the Access Manager server prepares a request context using the available data (to construct a Boolean expression based condition).

The following tables describe the various context data details.

Table 22-26 Request Context Data

Attribute Name	Description
requestMap	Map of all the request headers, parameters and post data values. This example can get the custom-header key from request header and compare it with value 'test'. request.requestMap['custom-header'].lower().find('test') > 0
resourceMap	Map of matched resource details
accept	Returns 'Accept' header value
acceptCharset	Returns 'Accept-Charset' header value
acceptEncoding	Returns 'Accept-Encoding' header value
acceptLanguage	Returns 'Accept-Language' header value
authorization	Returns 'Authorization' header value
connection	Returns 'Connection' header value
contentLength	Returns 'ContentLength' header value
cookie	Returns 'Cookie' header value
host	Returns 'Host' header value
ifModifiedSince	Returns 'ifModifiedSince' header value
pragma	Returns 'Pragma' header value
referer	Returns 'Referer' header value
userAgent	Returns 'UserAgent' header value
resourceHost	Returns matched Resource's Host value
resourcePost	Returns matched Resource's Port value
resourceOperation	Returns matched Resource's Operation value
resourceQueryString	Returns matched Resource's QueryString
resourceName	Returns matched Resource's name
resourceType	Returns matched Resource's Type
resourceURL	Returns matched Resource's URL; for example, if 'landingPage' is in request.resourceURL, condition will evaluate to true if resourceURL has landingPage in it.
isIPinRange('start IP' ,'end IP')	Evaluates to true if location.clientIP is in the specified range. Example: location.isIPinRange('192.35.50.180','192.35.50.188')

Table 22-27 Location Context Data

Attribute Name	Description
locationMap	Map of all the location data values; for example: location.locationMap['CLIENT_IP'] == '10.1.23.4'
clientIP	Returns client IP address; for example: location.clientIP.startswith('10.2')
proxyIP	Returns Proxy IP address

Attribute Name

Description

locationMap

Map of all the location data values; for example:

location.locationMap['CLIENT_IP'] == '10.1.23.4'

clientIP

Returns client IP address; for example:

location.clientIP.startswith('10.2')

proxyIP

Returns Proxy IP address

Table 22-28 Session Context Data

Attribute Name	Description
sessionMap	Map of all the session data values; for example: session.sessionMap['count'] > 2;
count	Returns number of sessions for the current user; for example:session.count > 2

Attribute Name

Description

sessionMap

Map of all the session data values; for example:

session.sessionMap['count'] > 2;

count

Returns number of sessions for the current user; for example:session.count > 2

Table 22-29 User Context Data

Attribute Name	Description
userMap	Map of all the user profile data; for example: user.userMap['email'] == 'john.joe@example.com'