Logon Items¶
The logon item enables presenting a response page or logon screen to a user. Logon screens display input fields and messages in some cases. The items that present a logon screen accept user input and store it in session variables for use in another Access policy item; typically, that is an authentication item, which usually follows a logon item in an Access policy.
Refer to Create Access policy for the OpenAPI specification document.
HTTP 401 Response¶
The HTTP 401 response indicates that the request requires authentication. The HTTP Response item creates an HTTP 401 response page. With it, a per-session policy can send an HTTP 401 Authorization Required response page to capture HTTP basic or negotiate authentication. For a per-request policy subroutine, HTTP 401 Response supports HTTP Basic authentication only.
The HTTP 401 Response item provides up to three branches: basic, negotiate, and fallback. Typically, a basic type of authentication follows on the basic branch, and a Kerberos Auth item follows on the negotiate branch.
Example: The following example shows HTTP 401 Response objects in an Access policy.
{
"languages": [ "en" ],
"defaultLanguage": "en",
"start": {
"caption": "HTTP 401 Response",
"itemType": "http-401-response",
"basicAuthRealm": "apmauto.com",
"http401AuthLevel": "basic",
"nextItems": [
{
"caption": "Basic",
"itemType": "allow",
"expression": "expr {[string tolower [mcget {session.logon.last.authtype}]] == \\"basic\\"}",
"name": "Allow"
},
{
"caption": "Negotiate",
"itemType": "deny",
"expression": "expr {[string tolower [mcget {session.logon.last.authtype}]] == \\"negotiate\\"}",
"name": "Deny"
},
{
"caption": "fallback",
"itemType": "deny",
"name": "Deny"
}
]
}
}
The table below lists the HTTP 401 Response configuration objects:
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the HTTP 401 Response item, the value is http-401-response. This is a required setting. |
| name | string | Specifies the name of the Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| customization | array | Specifies an array of customization objects to customize the messages on the HTTP 401 response page. This is a required setting. For object details, refer to the Logon page with customization section. |
| nextItems | array | Specifies the different branches for the BIG-IP Next Access policy item. This is a required setting. |
| basicAuthRealm | string | Specifies the authentication realm for use with Basic authentication. |
| http401AuthLevel | string | Specifies the authentication required for the policy. Valid values are:
|
HTTP 407 Response¶
The HTTP 407 response indicates that the request requires proxy authentication. The HTTP 407 response item creates an HTTP 407 response page. With it, you can send an HTTP 407 Authorization Required response page to capture HTTP basic or negotiate authentication in the per-session policy.
The HTTP 407 Response item provides three branches: basic, negotiate, and fallback. Typically, a basic type of authentication follows on the Basic branch, and a Kerberos Auth item follows on the negotiate branch.
Example: The following example shows HTTP 407 Response objects in an Access policy.
{
"languages": [ "en" ],
"defaultLanguage": "en",
"start": {
"caption": "HTTP 407 Response",
"itemType": "http-407-response",
"basicAuthRealm": "apmauto.com",
"http401AuthLevel": "basic",
"nextItems": [
{
"caption": "Basic",
"itemType": "allow",
"expression": "expr {[string tolower [mcget {session.logon.last.authtype}]] == \\"basic\\"}",
"name": "Allow"
},
{
"caption": "Negotiate",
"itemType": "deny",
"expression": "expr {[string tolower [mcget {session.logon.last.authtype}]] == \\"negotiate\\"}",
"name": "Deny"
},
{
"caption": "fallback",
"itemType": "deny",
"name": "Deny"
}
]
}
}
The table below lists the HTTP 407 Response configuration objects:
| Object | Type | Description |
|---|---|---|
| itemType | string | Specifies the BIG-IP Next Access policy item. For the HTTP 407 Response item the value is http-407-response. This is a required setting. |
| name | string | Specifies the name of the Access policy item. |
| caption | string | Specifies a human-readable description of the policy branch. |
| expression | string | Specifies the Tcl expression. The mcget command is an abbreviation for "get the session variable from the memory cache." When evaluating a branch rule, Access obtains session variables from the system memory using the Tcl command mcget. The Tcl expression can also contain one or more expressions (expr) or return commands. An expr command evaluates an expression and returns the result. A return command simply returns the result, and can be used to set the variable to a numeric value or string. For example, "expression": "return {1800}", "expression": "return {Hello World}", "expression": "expr { "[mcget session.custom.value1] + [mcget session.custom.value2]" }", "expression": "expr { "[mcget {session.logon.last.domain}]\[mcget {session.logon.last.username}]" }", and "expression": "expr {1800}". For details on Tcl expressions, refer to https://www.tcl.tk/man/tcl8.5/TclCmd/expr.html. For a list of session variables, refer to Reference: Session Variables. |
| customization | array | Specifies an array of customization objects to customize the messages on the HTTP 401 response page. This is a required setting. For object details, refer to the Logon page with customization section. |
| nextItems | array | Specifies the different branches for the BIG-IP Next Access policy item. This is a required setting. |
| basicAuthRealm | string | Specifies the authentication realm for use with Basic authentication. |
| http401AuthLevel | string | Specifies the authentication required for the policy. Valid values are:
|
Logon page with customization¶
The Logon page item is required for any per-session policy with an external AAA server to authenticate the user’s credential. It provides a logon page to the user and prompts for a username and password or other identifying information. The Logon page item typically precedes the authentication action that checks the credentials provided on the logon page.
To create a logon page, define the fields property in the BIG-IP Next Access policy.
Example: The following example shows the field property.
"fields": [
{
"type": "select",
"postVarName": "provider",
"sessVarName": "provider",
"selectValues": "Google Microsoft Amazon",
"modifiable": true,
"cleanSessVar": false
},
{
"type": "text",
"postVarName": "username",
"sessVarName": "username",
"selectValues": "",
"modifiable": true,
"cleanSessVar": false
},
{
"type": "password",
"postVarName": "password",
"sessVarName": "password",
"selectValues": "",
"modifiable": true,
"cleanSessVar": false
}
],
The table below lists the objects for Logon page configuration:
| Object | Type | Description |
|---|---|---|
| type | any | Specifies the form field type. Valid values are "none", "text" "password", "select", "checkbox", "radio", and "button". |
| postVarName | string | Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variable 'username' sends the username input 'omaas' as the POST string 'username=omaas'. |
| sessVarName | string | Specifies the session (or subsession) variable name that the server uses to store the data typed in the text field. For example, the session variable username stores the username input omaas as the session variable string 'session.logon.last.username=omaas'. |
| selectValues | string | Specifies the values for a select or radio type logon page input field. |
| modifiable | boolean | Specifies whether the logon page input field is read-only, and always used in the logon process as specified. You can use this to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this per-session policy. |
| cleanSessVar | boolean | Specifies whether to clear any value from the variable before presenting the logon page to the user. The default value is false. |
Customize Logon page¶
Use the customization property to customize settings for logon pages that appear in web browsers and mobile devices. The BIG-IP Next Access supports Modern customization, which provides a contemporary look, a responsive design, and many Standard customization features.
You can personalize the logon page by changing the layout, look and feel of objects and images, and customizing the form header, logon, and input fields text.
Example: The following example shows the customization property.
"customization" : [
{
"language": "en",
"strings": {
"formHeader": "IDP selection page for f5demo application",
"logonField_1": "Identity Provider",
"selectvalues_1": "first-idp=>First IDP;second-idp=>Second IDP"
}
}
],
The table below lists the objects for customizing logon page:
| Object | Type | Description |
|---|---|---|
| language | string | Specifies the language to use to customize the logon page. ISO 639-1 language codes should be used. |
| strings | object | Customizable strings and settings for logon page. |
|
string | Specifies the text that displays above the form. |
|
string | Specifies the text to display for each logon page input field (number 1 through 5) |
|
string | Specifies the localized text for any input field (number 1 to 5). |
|
string | Specifies the text that appears on the logon button. |
|
string | Specifies the default title of the page. |
|
string | Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. |
|
string | Specifies the prompt displayed when a new Active Directory password is requested. |
|
string | Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested. |
|
string | Specifies the prompt displayed when a new Active Directory password and verification password do not match. |
|
string | Specifies the message that is displayed to the user when they need to change the password. |
|
string | Specifies the prompt displayed when a user should not change password. |
|
string | Specifies the HTTP 401 response message. |
|
string | Specifies the text to display in a link for a user who is already logged on. |
|
string | Specifies the message to be displayed on the VMware View logon page. |
|
string | Specifies a possible response to a logon page query or challenge. |
|
string | Specifies a possible response to a logon page query or challenge. |
|
string | Specifies an image file to display on the logon page. |