Manual Chapter : Setting gating criteria to run step-up authentication more than once per session

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 15.1.10, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3
Manual Chapter

Setting gating criteria to run step-up authentication more than once per session

A subroutine creates a subsession for each distinct gating criteria value. By default, gating criteria for a subroutine is set to blank and the subroutine runs once. To base step-up authentication on distinct values dynamically set in a variable, you configure a perflow variable as the gating criteria.
If you set the gating criteria to a perflow variable that is populated by an agent, you must place that agent before the subroutine call in the per-request policy. Otherwise, the gating criteria does not contain a valid value, the subroutine returns an error, and step-up authentication does not run.
  1. Open the per-request policy for editing.
  2. Expand the subroutine.
  3. Click
    Subroutine Settings/Rename
    .
  4. Put your cursor in the
    Gating Criteria
    field and select one entry from the list.
    If you type in the
    Gating Criteria
    field, variables display that match the string you type.
    You can base step-up authentication on custom values or on values provided by specific agents. Some examples follow.
    Use these perflow variables for application data from Application Lookup:
    • perflow.application_lookup.result.effective_application
    • perflow.application_lookup.result.effective_family
    • perflow.application_lookup.result.families
    • perflow.application_lookup.result.names
    • perflow.application_lookup.result.primary_application
    • perflow.application_lookup.result.primary_family
    These are custom values that you must populate with Variable Assign:
    • perflow.custom
    • perflow.scratchpad
    These values are automatically populated:
    • perflow.category_lookup.result.hostname
    • perflow.category_lookup.result.url
    • perflow.username
      (Username typically won't change)
    These values contain URL data, available with an SWG subscription, that you must populate with Category Lookup:
    • perflow.category_lookup.result.categories
    • perflow.category_lookup.result.effective_category
    • perflow.category_lookup.result.filter_name
    • perflow.category_lookup.result.numcategories
    • perflow.category_lookup.result.numcustomcategories
    • perflow.category_lookup.result.primarycategory
    This value contains URL data, available with or without an SWG subscription, that you must populate with Category Lookup:
    • perflow.category_lookup.result.customcategories
    This value contains a pool name that you must populate with Pool Assign:
    • perflow.resource_assign_pool.name
    This value contains a protocol type (HTTP or HTTPS) that you must populate with Protocol Lookup:
    • perflow.protocol_lookup.result
    This value defaults to False; can be set to True with SSL Bypass Set (or set to False with SSL Intercept Set):
    • perflow.ssl_bypass.set
    This value defaults to False; can be set to True with SSL Bypass Set (or set to False with SSL Intercept Set):
    • perflow.ssl_bypass.set
    This value is automatically populated and does not change. When this variable is selected, step-up authentication will run once:
    • perflow.session.id
    Any perflow variables with
    application_lookup
    in its name are for an application name or family that you must populate with Application Lookup.
  5. Click
    Save
    .