Manual Chapter : Configuring URL branching for step-up authentication

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 15.1.10, 15.1.9
Manual Chapter

Configuring URL branching for step-up authentication

Add a URL branching agent to a per-request policy or to a per-request policy subroutine to create simple branching rules based on URLs. You might use URL branching to run different types of step-up authentication for different URLs or to skip step-up authentication altogether for a group of URLs.
  1. Open the per-request policy for editing.
  2. To edit a per-request policy subroutine, expand it.
  3. In the per-request policy or in the per-request policy subroutine, in the branch where you want to add URL branching, click [+].
    The Add Item popup screen opens.
  4. On the Classification tab, select
    URL Branching
    and click
    Add Item
    .
    The Properties screen opens.
  5. Click the Branch Rules tab.
    The screen displays the default rule,
    Allow
    , and the expression,
    URL contains: domain.com
    .
  6. If you do not want a rule that matches a URL substring, delete the default rule; (click
    x
    ).
    The URL Branching agent can be configured to exactly match a URL, or to match a substring or a prefix or a suffix in a URL, or to perform glob pattern matching on a URL.
  7. If you want to replace the value (
    domain.com
    ) in the default rule:
    You can use AND and OR operators to configure expressions for your rules. For simplicity of illustration, the examples do not include these operators.
    1. Click the
      change
      link.
      An additional popup screen opens.
    2. In the
      URL contains
      field, delete
      domain.com
      , and type the substring that you want to match.
    3. Click
      Finished
      .
      The popup screen closes.
    4. If you have no more changes to make, click
      Save
      .
  8. To add a rule, click
    Add Branch Rule
    .
    1. In the
      Name
      field, replace the default name
      Branch Rule
      number
      with a name for the branch.
    2. For
      Expression: Empty
      , click the
      change
      link.
      A popup screen opens.
    3. Click
      Add Expression
      .
      Fields with default values display.
    4. For the
      Agent Sel
      field, select or retain
      URL Branching
      .
    5. For
      Condition
      , select one from the list.
      When you select a condition, a related input field displays.
    6. For
      Condition
      Equals
      in the
      URL is
      field, type the URL that you want to exactly match.
    7. For
      Condition
      Substring
      in the
      URL contains
      field, type the string that you want to match.
    8. For
      Condition
      Prefix Match
      in the
      URL begins with
      field, type the prefix that you want to match.
    9. For
      Condition
      Suffix Match
      in the
      URL ends with
      field, type the suffix that you want to match.
    10. For
      Condition
      Glob Match
      in the
      URL glob pattern
      field, type the globbing pattern that you want to match.
      URL branching supports these globbing patterns:
      • *
        Matches any number of characters (none or one or more).
      • ?
        Matches a single character in these sets: [a-z] or [0-9] or [A-Za-z].
      • [
        characters
        ]
        Matches one of the specified characters.
      • [^
        characters
        ]
        Matches any characters except for those specified.
      • [!
        characters
        ]
        Matches any characters except for those specified.
    11. Click
      Add Expression
      , then click
      Finished
      .
      The popup screen closes; the updated expression displays on the Branch Rules screen.
    12. Click
      Save
      .
      The popup screen closes; the visual policy editor displays.
The per-request policy or subroutine includes URL branching.
After the URL branch, you can add step-up authentication if that's what you are trying to do. In a per-request policy, you can insert a call to a subroutine after a URL branch. Or, in a subroutine, you can insert an authentication agent after a URL branch. Make sure to add the per-session and per-request policies to the virtual server.