Manual Chapter :
Setting gating criteria to run step-up
authentication more than once per session
Applies To:
Show VersionsBIG-IP APM
- 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0
Setting gating criteria to run step-up
authentication more than once per session
A subroutine creates a subsession for each
distinct gating criteria value. By default, gating criteria for a subroutine is set to
blank and the subroutine runs once. To base step-up authentication on distinct values
dynamically set in a variable, you configure a perflow variable as the gating criteria.
If you set the gating criteria to a perflow variable that is
populated by an agent, you must place that agent before the subroutine call in the
per-request policy. Otherwise, the gating criteria does not contain a valid value,
the subroutine returns an error, and step-up authentication does not
run.
- Open the per-request policy for editing.
- Expand the subroutine.
- ClickSubroutine Settings/Rename.
- Put your cursor in theGating Criteriafield and select one entry from the list.If you type in theGating Criteriafield, variables display that match the string you type.You can base step-up authentication on custom values or on values provided by specific agents. Some examples follow.Use these perflow variables for application data from Application Lookup:
- perflow.application_lookup.result.effective_application
- perflow.application_lookup.result.effective_family
- perflow.application_lookup.result.families
- perflow.application_lookup.result.names
- perflow.application_lookup.result.primary_application
- perflow.application_lookup.result.primary_family
These are custom values that you must populate with Variable Assign:- perflow.custom
- perflow.scratchpad
These values are automatically populated:- perflow.category_lookup.result.hostname
- perflow.category_lookup.result.url
- perflow.username(Username typically won't change)
These values contain URL data, available with an SWG subscription, that you must populate with Category Lookup:- perflow.category_lookup.result.categories
- perflow.category_lookup.result.effective_category
- perflow.category_lookup.result.filter_name
- perflow.category_lookup.result.numcategories
- perflow.category_lookup.result.numcustomcategories
- perflow.category_lookup.result.primarycategory
This value contains URL data, available with or without an SWG subscription, that you must populate with Category Lookup:- perflow.category_lookup.result.customcategories
This value contains a pool name that you must populate with Pool Assign:- perflow.resource_assign_pool.name
This value contains a protocol type (HTTP or HTTPS) that you must populate with Protocol Lookup:- perflow.protocol_lookup.result
This value defaults to False; can be set to True with SSL Bypass Set (or set to False with SSL Intercept Set):- perflow.ssl_bypass.set
This value defaults to False; can be set to True with SSL Bypass Set (or set to False with SSL Intercept Set):- perflow.ssl_bypass.set
This value is automatically populated and does not change. When this variable is selected, step-up authentication will run once:- perflow.session.id
Any perflow variables withapplication_lookupin its name are for an application name or family that you must populate with Application Lookup. - ClickSave.