Concepts to know for building step-up authentication policies

Runs once. Associated with an access profile, which specifies a session lifetime. Can be used to validate that a client satisfies corporate policy, establish user identity, establish policy behavior, and allow or deny access to a virtual server and the resources it protects. Establishes a session. Required.

Runs each time the client makes an HTTP or HTTPS request during a session. Can determine whether to request step-up authentication, and to allow or reject a request. The purpose of this policy is to control access to the requested resource. Required.

Groups agents. Keeps policy display clean and simple. Optional.

A special macro that handles client interactions. Implements the step-up authentication policy. Establishes a subsession. Runs when no active subsession matches the expected identifying characteristics (subroutine name and any gating criteria). While a matching subsession exists, the subroutine does not run again; the user retains access to the resource and need not authenticate again. Required.

Specifies subsession lifetime; a loop count, which can be used if an authentication retry is needed; gating criteria; and other timeout values. Default values for these settings are provided when you configure a per-request policy subroutine; you can retain those values or change them.

A subroutine setting. Specifies a criteria to distinguish subsessions. A distinct subsession is created for each distinct gating criteria value. Gating criteria can be blank (one value), set to a perflow variable (more than one possible value), or a Tcl expression. The default value is blank.

Predefined custom variables. You can use these custom variables in a per-request policy or its components (macro, subroutine, subroutine macro) by setting the values before they are called. They are guaranteed not to be set by any agent. Use of these variables is optional.

Using the Variable Assign agent, you can populate additional custom predefined variables for use in a per-request policy including Primary Category (perflow.category_lookup.result.primarycategory), Scratchpad (perflow.scratchpad), Custom (perflow.custom), Service Path (perflow.servicepath), and Endpoint Inspection Error Code (perflow.epi.error_code).

Starts when a subroutine runs and continues until reaching its maximum lifetime (a subroutine setting), or until the session terminates. Does not count against license limits. Populates subsession variables that persist throughout the subsession. Supports logging. Multiple subsessions can exist at the same time, up to a limit of 128 per access session. (When the 129th session is created, the first subsession is removed.)

Groups agents. Keeps policy display clean and simple. Optional.