Logon Rules¶
Logon rules enable presenting a response page or logon screen to a user. Logon screens display input fields and messages in some cases. These rules present a logon screen, accept user input, and store it in session variables for use in another Access policy rule; typically, that is an authentication rule, which usually follows a logon rule in an Access policy.
HTTP 401 Response¶
Use this rule when a request requires authentication. The HTTP Response rule creates an HTTP 401 response page. With it, a per-session policy can send an HTTP 401 Authorization Required response page to capture HTTP basic or negotiate authentication. For a per-request policy subroutine, HTTP 401 Response supports HTTP Basic authentication only. The HTTP 401 Response rule provides up to three branches: basic, negotiate, and fallback. Typically, a basic type of authentication follows on the basic branch, and a Kerberos Auth rule follows on the negotiate branch.
When you use this rule, you configure the following fields:
| Field | Description |
|---|---|
| Name | Specify the name of the rule. |
| Basic Auth Realm | Specify the authentication realm for use with Basic authentication. |
| HTTP Auth Level | Specify the authentication level required for the policy. Valid values are:
|
| Language | Specify the language in which you want the response page text to render. Use ISO 639-1 language codes. |
| HTTP response message | Specify the response message that you want to display as part of the authentication challenge. |
HTTP 407 Response¶
Use this rule when a request requires proxy authentication. The HTTP 407 response rule creates an HTTP 407 response page. With it, you can send an HTTP 407 Authorization Required response page to capture HTTP basic or negotiate authentication in the per-session policy. This rule provides three branches: basic, negotiate, and fallback. Typically, a basic type of authentication follows on the Basic branch, and a Kerberos Auth item follows on the negotiate branch.
When you use this rule, you configure the following fields:
| Field | Description |
|---|---|
| Name | Specify the name of the rule. |
| Basic Auth Realm | Specify the authentication realm for use with Basic authentication. |
| HTTP Auth Level | Specifies the authentication required for the policy. Valid values are:
|
| Language | Specify the language in which you want the response page text to render. Use ISO 639-1 language codes. |
| Logon Page Input Field (1-5) | Specify the text to display for each logon page input field you plan to use (number 1 through 5). |
Logon Page¶
This rule presents a form to prompt for user name and password, or other identifying information. A Logon page typically precedes the authentication rule that checks the credentials provided on the logon page.
Rule Properties page
This page displays when you first begin to configure this rule in the VPD workspace.
| Field | Description |
|---|---|
| Name | Specify the name of the logon rule. |
| Split domain from full Username | Specify whether you want the username to be split from the domain. That is, when a username and domain combination is submitted (for example, marketing\jsmith or jsmith@marketing.example.com), only the username portion (in this example, jsmith) is stored in the session variable session.logon.last.username. |
| Logon Page Inputs | Use the controls in this area to specify the fields to display on the logon page to prompt for input.
|
Customization
After you click Save & Continue on the Rule Properties page, this page displays.
| Field | Description |
|---|---|
| Language | Specify the language to use to customize the logon page. Use ISO 639-1 language codes. |
| Form Header Text | Specifies the text that appears at the top of the logon box. |
| Custom Page Title | Specify the title of the page. |
| Logon Button | Specifies the text that appears on the logon button, which a user clicks to post the defined logon rules. |
| Save Password Checkbox | Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. |
| New Password Prompt | Specify the prompt that displays when a new Active Directory password is requested. |
| Confirm Password Prompt | Specify the prompt that displays to confirm the new password when a new Active Directory password is requested. |
| Password and Confirmation do not Match | Specify the prompt that displays when a new Active Directory password and verification password do not match. |
| Change Password | Specify the message that displays to the user when they need to change the password. |
| Don't Change Password | Specify the prompt that displays when a user should not change password. |
| Logon Page Original URL | Specify the text to display in a link for a user who is already logged on. |
| Yes | Specify the text to display to signify a positive response. |
| No | Specify the text to display to signify a negative response. |
| Input Fields | Specify the text to display for each logon page input field (number 1 through 5). |
