The requirement I have is to redirect the user to an error page when the user is unauthorized. Here the case is like.., the userX is authorized to access application1 but not application2. So when the userX is already logged into application1 and is trying to access application2...instead of the login.fcc page being displayed.. I want to redirect the userX to an error page..saying.., YOU are not AUTHORIZED to Access this application.
So what I did is : created a rule on Authorization Events : Action [OnAccessReject] ; Deny Access[Enabled].
And in the response part what I did is : selected the WebAgent-OnReject-Redirect ; Attribute Kind : Static ; Variable Value : AuthFailure/AuthFailure.htm
But, it is still not happening. Could you please tell me the steps in should follow?
P.S. : I am not using SPS|Federation.
Did you create a separate Policy for Reject and Allow?
The Reject Policy should have the OnAccessReject Rule, mapped to Reject Redirect Response - with "All" in Users.
Hi Hubert, What do you mean by separate policy here?
Is it like for a single webagent we need to have two different policies? One for accept conditions, and the other for reject conditions?
Could you kindly explain me, what do I need to do in order to redirect users on authorization as well as authentication failures?
I was referring to a Policy Object within a Policy Domain (WebAgent is linked to Realms within the Policy Domain). See below an example where we have a single accept policy defined.
Create another policy called 'azreject_policy_policydomainName'. Add the AzReject Rule, map the AzRedirectResponse to AzReject Rule, within this Policy. In User's tab opt for 'ALL'. Repeat the same step for AuthReject Rule.
Hi Hubert, I also tried doing the same. But after rolling out the policy as suggested by you, the applications were also enabling access to unauthorized users, Since, under the users tab I selected [Add ALL].
What I have done till now is as follows :
Two applications on two different servers, one one IIS, the other one on OHS.
1) Initially I had two policies:
i) In the policy for IIS - one realm containing the rule on web action[GET, POST] , I didn't have any rule set for redirect on Accept under Authentication or Authorization actions.
ii) Similarly for OHS, one realm containing the rule on web action[GET, POST], I didn't have any rule set for the redirection on Accept condition for Authorization/Authentication..just as above.
Now as you suggested to have a different policy set for rejection, I created the policy and in the policy I created two rules : web Actions..as I did before.. and OnAuthReject...both for Authentication and Authorization... and also created a response.. The response page remains the same for both the actions.. But the result I got is highly disappointing..
I don't understand the reason that why you asked me create a different policy for the same domain.
Can't two different set of rules remain under the same policy?
Is it necessary to have active rules/responses set up for the OnRejectRedirect thing to happen, wouldn't response containing static attribute type could work?
Also, can a global response be mapped to any rule..from any domain..so that the response could just be used anywhere?
Please try to clarify my queries.
Ahh in the reject policy we never add "ACCEPT/ALLOW/GET-POST-PUT rules". Read below, hopefully this should assist in understanding how rules should be grouped.
The reason we created different policies is to segregate accept/allow policy from reject/disallow policies. Am detailing how your configurations should look like. The thumb rule being all ACCEPT/ALLOW/GET-POST-PUT rules should be in one policy and REJECT/DENY/DISALLOW rules should be in a different policy.
Realms Under PolicyDomainA
Realm1 : /iisresource
Realm2 : /ohsresource
Response Under PolicyDomainA
Policies Created Under PolicyDomainA
Accept_Policy_IIS : Only Users from cn=GroupA or ou=GroupA are allowed to access IIS Resource
Accept_Policy_OHS : Only Users from cn=GroupB or ou=GroupB are allowed to access OHS Resource
Question : Can't two different set of rules remain under the same policy?
Question : Also, can a global response be mapped to any rule..from any domain..so that the response could just be used anywhere?
Hope I have answered all your queries.
Hi Hubert, Thanks a lot for the explanation.
We are using Global Policy for OnAuthReject with Global Rule and Global Response and it is working fine as expected for federation partnership (protecting redirect jsp) and reverse proxy application (protecting SPS Agent). When unauthorized user try to access federation site very first time they are forwarded to an error page mentioned in global response BUT when same user try to access same federation site second time in the same browser he successfully gets in.
This behavior is pretty strange and difficult to caught. This is only happening with protected federation partnership and not with protected reverse proxy application( CA access gateway).
Hi Hubert, I have got another issue right now. I am trying to enable the reset password option for the users once they login into the application. So what I did is, the the application page I have created an hyper link to the smpwservices.fcc page, just as below :
And also in the password policies, I have created a policy enabling it on the whole directory and mentioned the redirection url as /siteminder/forms/smpwservices.fcc
Now when I enabled the password policy it's redirecting me to the authentication page, which I configured earlier. And also when I disabled the password policy it was redirecting into the application page, as well the smpwservices page was redirecting to the target page. But, the password was not getting changed.
Could you pls. help?
Here, by authentication page I mean the error page in case of authentication failure.
I believe this thread Unable to enable the self password change option. has been initiated to discuss this issue, let us discuss there. It is good to open different discussion thread for different issue, rather than discuss all issues in one thread.