A Protocol Lookup item determines whether the protocol of the request is HTTP or HTTPS. It provides two default branches: HTTPS and fallback. Use the Protocol Lookup item early in a per-request policy to process HTTPS traffic before processing HTTP traffic.

The SSL Bypass Set item provides a read-only element, Action, that specifies the Bypass option.

An AD Group Lookup item can branch based on Active Directory group. The item provides one default advanced branch rule expression, expr { [mcget {session.ad.last.attr.primaryGroupID}] == 100 }, as an example.

A branch rule expression can include any populated session variable, such as session.ad.last.attr.primaryGroupID, session.ad.last.attrmemberOf, session.ad.last.attr.lastLogon, session.ad.last.attr.groupType, session.ad.last.attr.member, and so on. As an example, expr { [mcget {session.ad.last.attr.memberOf}] contains "CN=Administrators" is a valid expression.

An LDAP Group Lookup item compares a specified string against the session.ldap.last.attr.memberOf session variable. The specified string is configurable in a branch rule. The default simple branch rule expression is User is a member of CN=MY_GROUP, CN=USERS, CN=MY_DOMAIN ; the values MY_GROUP, USERS, MY_DOMAIN, must be replaced with values used in the LDAP group configuration at the user site.

A per-request policy LocalDB Group Lookup item compares a specified string against a specified session variable.

The string is specified in a branch rule of the LocalDB Group Lookup item. The default simple branch rule expression is User is a member of MY_GROUP. The default advanced rule expression is expression is expr { [mcget {session.localdb.groups}] contains "MY_GROUP" }. In either the simple or the advanced rule, the variable, MY_GROUP, must be replaced with a valid group name.

The session variable must initially be specified and populated by a Local Database action in the access policy. A Local Database action reads groups from a local database instance into a user-specified session variable. It can be session.localdb.groups (used by default in the LocalDB Group Lookup advanced rule expression) or any other name. The same session variable name must be used in the Local Database action and the LocalDB Group Lookup advanced rule expression.

The RADIUS Class Lookup access policy item compares a user-specified class name against the session.radius.last.attr.class session variable. The specified class name is configurable in a branch rule.

The default simple branch rule expression is RADIUS Class attribute contains MY_CLASS . The variable MY_CLASS must be replaced with the name of an actual class.

The Dynamic Date Time action enables branching based on the day, date, or time on the server. It provides two default branch rules:

Weekend

Defined as Saturday and Sunday.

Business Hours

Defined as 8:00am to 5:00pm.

The Dynamic Date Time action provides these conditions for defining branch rules.

Time From

Specifies a time of day. The condition is true at or after the specified time.

Time To

Specifies a time of day. This condition is true before or at the specified time.

Date From

Specifies a date. This condition is true at or after the specified date.

Date To

Specifies a date. This condition is true before or at the specified date

Day of Week

Specifies a day. The condition is true for the entire day (local time zone).

Day of Month

Specifies the numeric day of month. This condition is true for this day every month (local time zone).

The SSL Intercept Set item provides a read-only element, Action, that specifies the Intercept option.

The Logging action can be used in an access policy or in a per-request policy. In an access policy, the Logging action adds logging for session variables to the access policy. In a per-request policy, the Logging action can add logging for both session variables and per flow variables to the per-request policy.

This action is useful for tracing the variables that are created for a specific category, or in a specific branch.

The Logging action provides these configuration elements and options:

Log Message

For an access policy, specifies text to add to the log file. For a per-request policy, specifies the message text and the session and per-flow variables to add to the message. Complete variable names must be typed. Wildcards are not supported for per-request policies. An example log message for a per-request policy follows.

The system found this URL %{perflow.category_lookup.result.url} in these categories %{perflow.category_lookup.result.categories} and placed it into this category %{perflow.category_lookup.result.primarycategory}.

An HTTPS request was made to this host %{perflow.category_lookup.result.hostname}; the per-request policy set SSL bypass to %{perflow.ssl_bypass_set}.

Requests from this platform %{session.client.platform} were made during this session %{perflow.session.id}.

Session Variables

Specifies a session variable from a list of predefined session variables or a custom session variable.

Note: This option is available only when adding the Logging action to an access policy.

A Category Lookup item looks up URL categories for a request and obtains a web response page.

The Category Lookup item provides these elements and options.

Categorization Input

The list specifies these options:

• Use HTTP URI (cannot be used for SSL Bypass decisions): For HTTP traffic, this option specifies performing a URL-based lookup. When selected, on a BIG-IP^® system with an SWG subscription the SafeSearch Mode setting displays.
• Use SNI in Client Hello (if SNI is not available, use Subject.CN): For HTTPS traffic, this option specifies performing a host-based lookup.
• Use Subject.CN in Server Cert: For HTTPS traffic, this option specifies performing a host-based lookup. (This option is not for use in a reverse proxy configuration.)

SafeSearch Mode

The options are Enabled (default) and Disabled. When enabled, SWG enables Safe Search for supported search engines.

Note: SafeSearch is available only with an SWG subscription.

Category Lookup Type

Select the category types in which to search for the requested URL. On a BIG-IP^® system with an SWG subscription, options are:

• Select one from Custom categories first, then standard categories if not found
• Always process full list of both custom and standard categories
• Process standard categories only

On a BIG-IP^® system without an SWG subscription, the available option is Process custom categories only. Depending on the selection, the Category Lookup Type item looks through custom categories or standard categories or both, and compiles a list of one or more categories from them. The list is available for subsequent processing by the URL Filter Assign item.

Reset on Failure

When enabled, specifies that SWG send a TCP reset to the client in the event of a server failure.

A Response Analytics item inspects a web response page for malicious embedded contents. Response Analytics must be preceded by a Category Lookup item because it obtains a web response page.

Response Analytics provides these elements and options.

Max Buffer Size

Specifies the maximum amount of response data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the response content. Otherwise, the system retains the response data in the buffer.

Max Buffer Time

Specifies the maximum amount of time (in seconds) for buffering and analyzing response data. If the time elapses at any point in this process, the agent sets the perflow.response_analytics.failure variable to 1 (which indicates an ANTserver failure) and discards the response data.

Reset on Failure

When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.

Exclude Types

Specifies one entry for each type of content to be excluded from content analysis. Images, the All-Images type, do not get analyzed.

A Request Analytics item inspects an outgoing web request for malicious embedded contents. In a per-request policy, a Request Analytics item must be preceded by a Category Lookup item and followed by a URL Filter Assign item. To block outgoing traffic from chat applications, a Request Analytics item is required.

Request Analytics provides these elements and options.

Max Buffer Size

Specifies the maximum amount of request data (in bytes) to collect before sending it for content scanning. The system sends the content for analysis when the buffer reaches this size or when the buffer contains all of the request content. Otherwise, the system retains the request data in the buffer.

Max Buffer Time

Specifies the maximum amount of time (in seconds) for buffering and analyzing request data. If the time elapses at any point in this process, the agent sets the perflow.request_analytics.failure variable to 1 (which indicates an ANTserver failure) and discards the request data.

Reset on Failure

When enabled, specifies that SWG send a TCP reset to the client in the event of an ANTserver failure. If disabled and an ANTserver failure occurs, SWG logs all perflow variables and provides the SWG block page to the client.

A URL Filter Assign item looks up the URL filter action for each category that the Category Lookup item found for a request. If any filter action is set to Block, the request is blocked. In a configuration with an SWG subscription, the URL Filter Assign item also uses the analysis from the Response Analytics item, if used, to determine whether to block the request.

By default, the URL Filter Assign item has three branches: Allow, Confirm, and fallback. If the request is not blocked and any filter action is set to Confirm, the per-request policy takes the Confirm branch.

A URL Filter Assign item provides the URL Filter element, with a list of filters from which to select.

An Application Lookup item obtains the name of the application that is being requested and looks up the application family that matches it. By default, this item has a fallback branch only.

Application Lookup can be used to branch by application family or by application name; branch rules are required to do this. If an Application Filter Assign item is included in the per-request policy, an Application Lookup must complete before it.

An Application Filter Assign item matches an application or application family against an application filter. Application Filter Assign provides one configuration element. The Application Filter element specifies the application filter to use in determining whether to block access to an application or allow it. The Application Filter Assign item exits on the Allow branch if the filter action specifies allow. Otherwise, Application Filter Assign exits on the fallback branch.

An HTTP Headers action supports modifying an outgoing HTTP request to a back-end server. The action supports manipulation of HTTP and cookie headers being sent to back-end servers.

The HTTP Headers item provides these configuration options and elements.

An entry in the HTTP Header Modify table includes these elements.

Header Operation

Specifies insert, append, replace, or remove.

Header Name

Specifies the header name on which to operate.

Header Value

Specifies the value on which to operate.

Note: Any per-flow or session variable can be used as a header value, for example, %{session.user.clientip} or %{perflow.session.id}.

Header Delimiter

Specifies the separator to use when appending a header.

An entry in the HTTP Cookie Modify table includes these elements.

Cookie Operation

Specifies update or delete.

Note: When update is selected and a cookie that matches the name and value does not exist, HTTP Header adds the specified cookie.

Cookie Name

Specifies the name to match.

Cookie Value

Specifies the value to match when deleting a cookie or the new value to set when updating a cookie.

Note: Any per-flow or session variable can be used as a cookie value.

The Select SSO Configuration agent provides these configuration elements and options:

SSO Configuration Name

Select an SSO configuration name from the list.

An OAuth Client agent is a policy item that requests authorization and tokens from an OAuth server. An OAuth Client can also get scope data on a per-request basis. The OAuth Client agent provides these configuration elements and options:

Server

Specifies the OAuth server to which this OAuth client directs requests.

Grant Type

Specifies the type of grant that the OAuth client uses.

• Authorization code - The client redirects the resource owner to the OAuth server to request an authorization code.
• Password - The client uses resource owner password credentials to request an access token from the OAuth server.

OpenID Connect

Specifies whether the agent uses OpenID Connect for authorization. Displays when Grant Type is set to Authorization code.

Note: To function correctly when enabled, the OAuth provider (associated with the selected Server) must be configured to support JSON web tokens.

OpenID Connect Flow Type

Specifies the OpenID Connect flow type to use: Authorization code or Hybrid.

OpenID Connect Hybrid Response Type

Specifies the response type to use for an OpenID Connect hybrid flow: code-idtoken, code-token, or code-idtoken-token.

Authentication Redirect Request

Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when Grant Type is set to Authorization code.

Token Request

Specifies a token-request type of request.

Refresh Token Request

Specifies a token-refresh-request type of request. APM uses this request on a per-request basis.

OpenID Connect UserInfo Request

Specifies an openid-userinfo-request type of request. Displays when OpenID Connect is set to Enabled.

Redirection URI

Specifies the URI for the OAuth server to redirect a user back to the OAuth client. Displays when Grant Type is set to Authorization code.

Scope

Specifies one or more strings separated by spaces; for example contacts photo email. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers.

For the Authorization code grant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For the Password grant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials.

The OAuth Scope agent validates JSON web tokens (JWT) or validates scopes for opaque tokens. The OAuth Scope item provides these elements and options:

Token Validation Mode

• Internal - In this mode, the agent validates JSON web tokens (JWT).
• External - In this mode, the agent makes requests to an OAuth authorization server to get scopes associated with a token and to get scope data, such as a user's email address or contact list.

JWT Provider List

Specifies a list of OAuth providers that support JWT. The agent validates JWT from any of these providers when configured. For Internal mode.

Server

Specifies an OAuth server. OAuth servers in resource server, or client and resource server modes are available for selection. For External mode.

Scopes Request

Specifies a validation-scopes-request type request. This request type retrieves a list of scopes associated with the token. For External mode.

In External mode, there can be multiple scope data requests in this agent with these elements:

Scope Name

Specifies the name of a scope for which you are requesting data. (The external OAuth provider specifies the names of the scopes that it supports.)

Request

Specifies a scope-data-request type request. This is optional. If the provider does not require this type of request to obtain additional information from an authorization server, you do not need to fill in this field.

The agents in this table are available toper-session policies and to per-request policy subroutines. In a per-request policy subroutine, not all options for an agent are supported and support for some options is implemented differently.

An AD Auth action authenticates a user against an AAA Active Directory server. An authentication action typically follows a logon action that collects credentials.

Type

Specifies Authentication, the type of this Active Directory action.

Server

Specifies an Active Directory server; servers are defined in the Access > Authentication area of the Configuration utility.

Cross Domain Support

Specifies whether AD cross domain authentication support is enabled for this action.

Complexity check for Password Reset

Specifies whether Access Policy Manager^® (APM^®) performs a password policy check. APM supports these Active Directory password policies:

• Maximum password age
• Minimum password age
• Minimum password length
• Password must meet complexity requirements

APM must retrieve all related password policies from the domain to make the appropriate checks on the new password.

Note: Because this option might require administrative privileges, the administrator name and password might be required on the AAA Active Directory server configuration page.

Note: Enabling this option increases overall authentication traffic significantly because APM must retrieve password policies using LDAP protocol and must retrieve user information during the authentication process to properly check the new password.

Show Extended Error

When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)

Max Logon Attempts Allowed

Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.

Note: For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.

Max Password Reset Attempts Allowed

Specifies the number of times that APM allows the user to try to reset password.

A Confirm Box action presents links for these options: Continue and Cancel. The action is available for a per-request policy subroutine only and is for use in a Secure Web Gateway (SWG) configuration. Confirm Box offers these elements and options for customization.

Language

Specifies the language to use to customize the Confirm Box page. Selecting a language causes the content in the remaining fields display in the selected language.

Note: Languages on the list reflect those that are configured in the access profile.

Message

Specifies the message to display.

Field 1 image

Specifies the icon (red, green, or none) to display with the Continue option.

Continue

Specifies the text to display for this option.

Field 2 image

Specifies the icon (red, green, or none) to display with the Cancel option.

Cancel

Specifies the text to display for this option.

A CRLDP Auth action retrieves a Certificate Revocation List (CRL) from a network location (distribution point). A distribution point is either an LDAP Uniform Resource Identifier (URI), a directory path that identifies the location where the CRLs are published, or a fully qualified HTTP URL. An CRLDP Auth action provides these configuration elements and options:

CRLDP Server

Specifies a CRLDP server; servers are defined in the Access > Authentication area of the Configuration utility.

A HTTP Auth action authenticates a user against an HTTP AAA server. An HTTP Auth action provides these configuration elements and options:

AAA Server

Specifies an HTTP AAA server; servers are defined in the Access > Authentication area of the Configuration utility.

The HTTP 401 Response action sends an HTTP 401 Authorization Required Response page to capture HTTP Basic or Negotiate authentication.

The HTTP 401 Response action provides up to three branches: Basic, Negotiate, and fallback. Typically, a basic type of authentication follows on the Basic branch and a Kerberos Auth action follows on the Negotiate branch.

An HTTP 401 Response action provides these configuration elements and options.

Basic Auth Realm

Specifies the authentication realm for use with Basic authentication.

HTTP Auth Level

Specifies the authentication required for the policy.

• none - specifies no authentication.
• basic - specifies Basic authentication only.
• negotiate - specifies Kerberos authentication only.
  Note: This option is not available for a per-request policy subroutine.
• basic+negotiate - specifies either Basic or Kerberos authentication.
  Note: This option is not available for a per-request policy subroutine.

The action provides customization options that specify the text to display on the screen.

Language

Specifies the language to use to customize this HTTP 401 response page. Selecting a language causes the content in the remaining fields display in the selected language.

Note: Languages on the list reflect those that are configured in the access profile.

Logon Page Input Field #1

Specifies the text to display on the logon page to prompt for input for the first field. When Language is set to en, this defaults to Username.

Logon Page Input Field #2

Specifies the text to display on the logon page to prompt for input for the second field. When Language is set to en, this defaults to Password.

HTTP response message

Specifies the text that appears when the user receives the 401 response, requesting authentication.

An iRule Event action adds iRule processing to an access policy or to a per-request policy subroutine at a specific point. An iRule Event provides one configuration option: ID, which specifies an iRule event ID.

An iRule Event action can occur anywhere in an access policy or a per-request policy subroutine.

An LDAP Auth action authenticates a user against an AAA LDAP server. An LDAP Auth action provides these configuration elements and options.

Type

Specifies Authentication, the type of this LDAP action.

Server

Specifies an LDAP server; servers are defined in the Access > Authentication area of the Configuration utility.

SearchDN

Specifies the base node of the LDAP server search tree to start the search with.

SearchFilter

Specifies the search criteria to use when querying the LDAP server for the user's information. Session variables are supported as part of the search query string. Parentheses are required around search strings; (sAmAccountName=%{session.logon.last.username})

UserDN

Specifies the Distinguished Name (DN) of the user. The DN can be derived from session variables.

Show Extended Error

When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)

Max Logon Attempts Allowed

Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.

Note: For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.

The LocalDB Auth action can authenticate a user against a local user database instance. The LocalDB Auth action can lock a user out of a local user database instance if they fail to log on within a specified number of attempts.

A LocalDB Auth action provides these configuration elements and options.

LocalDB Instance

Specifies a local user database instance.

Max Logon Attempts Allowed

A number from 1 to 5.

Note: For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.

A logon page action prompts for a user name and password, or other identifying information. The logon page action typically precedes the authentication action that checks the credentials provided on the logon page. The logon page action provides up to five customizable fields and enables localization.

The logon page action provides these configuration options and elements.

Split domain from full username

Specifies Yes or No.

• Yes - specifies that when a username and domain combination is submitted (for example, marketing\jsmith or jsmith@marketing.example.com), only the username portion (in this example, jsmith) is stored in the session variable session.logon.last.username.
• No - specifies that the entire username string is stored in the session variable.

CAPTCHA configuration

Specifies a CAPTCHA configuration to present for added CAPTCHA security on the logon page.

Type

Specifies the type of logon page input field: text, password, select, checkbox, or none.

• text Displays a text field, and shows the text that is typed in that field.
• password Displays an input field, but displays the typed text input as asterisks.
• select Displays a list. The list is populated with values that are configured for this field.
• checkbox Displays a check box.
• none Specifies that the field is not displayed on the logon page.

Post Variable Name

Specifies the variable name that is prepended to the data typed in the text field. For example, the POST variable username sends the user name input omaas as the POST string username=omaas.

Session Variable Name (or Subsession Variable Name)

Specifies the session variable name that the server uses to store the data typed in the text field. For example, the session variable username stores the username input omaas as the session variable string session.logon.last.username=omaas.

Note: A per-request policy subroutine uses subsession variables in place of session variables.

Clean Variable

Specifies whether to clear any value from the variable before presenting the logon page to the user; to clean the variable, select Yes. Defaults to No.

Values

Specifies values for use on the list when the input field type is select.

Read Only

Specifies whether the logon page agent is read-only, and always used in the logon process as specified. You can use Read Only to add logon POST variables or session variables that you want to submit from the logon page for every session that uses this access policy, or to populate a field with a value from a session variable. For example, you can use the On-Demand Certificate agent to extract the CN (typically the user name) field from a certificate, then you can assign that variable to session.logon.last.username. In the logon page action, you can specify session.logon.last.username as the session variable for a read only logon page field that you configure. When Access Policy Manager^® displays the logon page, this field is populated with the information from the certificate CN field (typically the user name).

Additionally, customization options specify text and an image to display on the screen.

Language

Specifies the language to use to customize this logon page. Selecting a language causes the content in the remaining fields to display in the selected language.

Note: Languages on the list reflect those that are configured in the access profile.

Form Header Text

Specifies the text that appears at the top of the logon box.

Logon Page Input Field # number

Specifies the text to display for each input field (number 1 through 5) that is defined in the Logon Page Agent area with Type set to other than none.

Logon Button

Specifies the text that appears on the logon button, which a user clicks to post the defined logon agents.

Front Image

Specifies an image file to display on the logon page. The Replace Image link enables customization and the Revert to Default Image discards any customization and use the default logon page image.

Save Password Check Box

Specifies the text that appears adjacent to the check box that allows users to save their passwords in the logon form. This field is used only in the secure access client, and not in the web client.

New Password Prompt

Specifies the prompt displayed when a new Active Directory password is requested.

Verify Password Prompt

Specifies the prompt displayed to confirm the new password when a new Active Directory password is requested.

Password and Password Verification do not Match

Specifies the prompt displayed when a new Active Directory password and verification password do not match.

Don't Change Password

Specifies the prompt displayed when a user should not change password.

Typically, when a client makes an HTTPS request, an SSL handshake request occurs at the start of an SSL session. If the client SSL profile skips the initial SSL handshake, an On-Demand Cert Auth action can re-negotiate the SSL connection from an access policy by sending a certificate request to the user. This prompts a certificate screen to open. After the user provides a valid certificate, the On-Demand Cert Auth action checks the result of certificate authentication. The agent verifies the value of the session variable session.ssl.cert.valid to determine whether authentication was a success.

The On-Demand Cert Auth action provides one configuration option, Auth Mode, with two supported modes:

Request

With this mode, the system requests a valid certificate from the client, but the connection does not terminate if the client does not provide a valid certificate. Instead, this action takes the fallback route in the access policy. This is the default option.

Require

With this mode, the system requires that a client provides a valid certificate. If the client does not provide a valid certificate, the connection terminates and the client browser stops responding.

Note: For an iPod or an iPhone, the Require setting must be used for On-Demand certificate authentication. To pass a certificate check using Safari, the user is asked to select the certificate multiple times. This is expected behavior.

An OAuth Client agent is a policy item that requests authorization and tokens from an OAuth server. An OAuth Client can also get scope data on a per-request basis. The OAuth Client agent provides these configuration elements and options:

Server

Specifies the OAuth server to which this OAuth client directs requests.

Grant Type

Specifies the type of grant that the OAuth client uses.

• Authorization code - The client redirects the resource owner to the OAuth server to request an authorization code.
• Password - The client uses resource owner password credentials to request an access token from the OAuth server.

OpenID Connect

Specifies whether the agent uses OpenID Connect for authorization. Displays when Grant Type is set to Authorization code.

Note: To function correctly when enabled, the OAuth provider (associated with the selected Server) must be configured to support JSON web tokens.

OpenID Connect Flow Type

Specifies the OpenID Connect flow type to use: Authorization code or Hybrid.

OpenID Connect Hybrid Response Type

Specifies the response type to use for an OpenID Connect hybrid flow: code-idtoken, code-token, or code-idtoken-token.

Authentication Redirect Request

Specifies an auth-redirect-request type request, which redirects a user to an OAuth server. Displays when Grant Type is set to Authorization code.

Token Request

Specifies a token-request type of request.

Refresh Token Request

Specifies a token-refresh-request type of request. APM uses this request on a per-request basis.

OpenID Connect UserInfo Request

Specifies an openid-userinfo-request type of request. Displays when OpenID Connect is set to Enabled.

Redirection URI

Specifies the URI for the OAuth server to redirect a user back to the OAuth client. Displays when Grant Type is set to Authorization code.

Scope

Specifies one or more strings separated by spaces; for example contacts photo email. The strings are defined by the OAuth authorization server. Your best source of information for the strings that a particular OAuth authorization server defines could be APIs for OAuth 2.0 scopes on developer sites for OAuth providers.

For the Authorization code grant type, an OAuth authorization server prompts the user to grant or deny access to the scopes. For the Password grant type, an OAuth authorization server grants permission to the requested scopes based on the user providing resource owner password credentials.

The OAuth Scope agent validates JSON web tokens (JWT) or validates scopes for opaque tokens. The OAuth Scope item provides these elements and options:

Token Validation Mode

• Internal - In this mode, the agent validates JSON web tokens (JWT).
• External - In this mode, the agent makes requests to an OAuth authorization server to get scopes associated with a token and to get scope data, such as a user's email address or contact list.

JWT Provider List

Specifies a list of OAuth providers that support JWT. The agent validates JWT from any of these providers when configured. For Internal mode.

Server

Specifies an OAuth server. OAuth servers in resource server, or client and resource server modes are available for selection. For External mode.

Scopes Request

Specifies a validation-scopes-request type request. This request type retrieves a list of scopes associated with the token. For External mode.

In External mode, there can be multiple scope data requests in this agent with these elements:

Scope Name

Specifies the name of a scope for which you are requesting data. (The external OAuth provider specifies the names of the scopes that it supports.)

Request

Specifies a scope-data-request type request. This is optional. If the provider does not require this type of request to obtain additional information from an authorization server, you do not need to fill in this field.

An OCSP Auth action retrieves the revocation status of an X.509 certificate by sending the certificate information to a remote Online Certificate Status Protocol (OCSP) responder. Typically, an OCSP Auth action follows an action that receives an X.509 certificate. Either a Client Cert Inspection or On-Demand Cert Auth action can receive the X.509 certificate from a user. Either action populates session variables with data that OSCP Auth uses. Similarly, a Machine Cert Auth action can receive an X.509 certificate from a machine and populate session variables.

An OCSP Auth action provides these configuration elements and options:

OCSP Responder

Specifies the OCSP Responder AAA configuration object, defined in the Access Policy AAA servers area of the Configuration utility.

Certificate Type

Specifies the expected type of certificate: User or Machine.

The Proxy Select agent is for use in selecting the next hop in forward proxy chaining. The Proxy Select agent provides these elements and options:

Pool

Specifies a pool of one or more proxy servers from which to select the next hop. All proxy servers in the pool that you select must support the forward proxy mode that you specify in the Upstream Proxy Mode setting.

Upstream Proxy Mode

Specifies whether the next hop is to a forward proxy server that supports Explicit forward proxy or Transparent forward proxy.

Username

Specifies the name of a user account on the proxy server. To use static credentials to authenticate the user at the next hop, provide the username and password .

Password

Specifies the password for the user account on the proxy server.

A RADIUS Auth action authenticates a client against an external RADIUS server. A RADIUS Auth action provides these configuration elements and options.

AAA Server

Specifies the RADIUS accounting server; servers are defined in the Access > Authentication area of the Configuration utility.

Show Extended Error

When enabled, causes comprehensive error messages generated by the authentication server to display on the user's logon page. This setting is intended only for use in testing, in a production or debugging environment. If enabled in a live environment, your system might be vulnerable to malicious attacks. (When disabled, displays non-comprehensive error messages generated by the authentication server on the user's logon page.)

Max Logon Attempts Allowed

Specifies the number of user authentication logon attempts to allow. A complete logon and password challenge and response is considered as one attempt.

Note: For a per-request policy subroutine, equivalent functionality is supported through subroutine settings.

The Select SSO Configuration agent provides these configuration elements and options:

SSO Configuration Name

Select an SSO configuration name from the list.