I am trying to implement a custom solution, where i have a requirement i need to send some static value like False as a response if the particular user is not present in that AD Group.
For ex:- I want to create a policy where i attach a rule and a response, but i need to send response only if the user is not present in the AD group .
Suppose AD group is CN=abc,OU=IDM,OU=P001,OU=GRP , if the end user is not present in this group i should send a response back to the application i.e static response like:WebAgent-HTTP-Header-Variable abc=false .
now generally we can configure the policy for the user which is present in the group, how can we create a policy for a user which is not present in the group and still send a response back.
Your Help would be highly appretiated!!
How about using OnAccessReject Rule for Authorization Event Actions?
Here is a KB article which might help. While it is explaining OnAuthAttempt event, it would be similar.
How can an OnAuthAttempt response be tied to a rule?
I hope this would help.
Thank you for the input.
But here i am looking to post a HTTP Header response if the user is not present in that particular group. The above article is for WebAgent-OnReject-Redirect response which i am not looking for right now.
I just need to post the header i.e a static value if the user is not present in the group. Generally we can easily do this if the user is present in the AD group and can send HTTP Header response, But how to do it when i am looking for a scenario if the user is not present in that group and i need to send a HTTP Header response static value based on that.
1. Create a rule like "Access Reject rule"
2. Create a response like "Access Reject Response" with the required headers values
3. Create a policy like "Access Reject Policy"
Allow every user in groups tab
Add "Access Reject rule" Rule
Associate "Access Reject Response" to the above rule
3. Submit the policy
This will serve your requirement.
Apologies for the delayed response.
The above suggestion seems to be perfect, but when i implemented above the rule and response are not getting triggered if the user is not present in the group.
I cannot see any response generated, i am sending a static HTTP header value.
Is there anything that i am missing here?
Please let me repeat: in this case, WebAgent-HTTP-Header-Variable does not work, and you may use WebAgent-HTTP-Cookie-Variable instead.
If the user is not present in that particular group, he/she will be AzRejected by your policy. Then, normally, login.fcc will be present again. The login.fcc will not have your HTTP Header response because WebAgent-HTTP-Header-Variable enables a Web Agent to pass the value to a Web application (not to Web browser). In this case, you may use WebAgent-HTTP-Cookie-Variable instead so that the browser will have the cookie.
The above comment by GopiReddyIrala is really good by explaining step by step. Thanks for the post.
1) Create a second Policy (e.g "UnAuthorized_Policy)
2) Create a Rule within the 'Unauthorized_Policy' (e.g. UnAuthorized_Rule)
Resource: Same as ALLOW Rule
Action: Authorization Events: OnAccessReject
3) Create a Response (e.g. UnAuthorized_Response)
Attribute Type: WebAgent-Onreject-Redirect OR WebAgent-OnReject-Text
Attribute Kind: Static
Variable Value: path to Redirtect Page or Text (Depending on which Attribute type you choose)
4) Configure the Policy for ALL USERS in the user directory
5) Tie the UnAuthorized_Rule and UnAuthorized_Repsonse to the UnAuthorized_Policy
I would suggest creating an UnAuthorized web page and placing it in an unprotected directory and redirecting the user to that page.
Users who are authorized to access the resource will be redirected to the resource. User who are authenticated, but not authorized to access the resource will be redirected to the unauthorized page or presented the Text, depending on which you chose.
This should allow you to achieve your use case.