Advanced Access Gateway Policy Examples

Examples

The following are examples of advanced policy configuration and are for illustration and educational purposes only.

 

Only send field on specific URI requests

Description: Passing all fields to all URLs is often unnecessary. Using custom configuration, a policy can be created to send specific fields on specific requests
Required
Configuration

Protected rule exists for a given resource.
Configure attribute 'do not send'
Set attribute Don't Send.

Example

Add a variable to a header

set $TEST " ";   # Set a value for later use
proxy_set_header header_name $TEST;  #Add a value to the HTTP Header

Force a return on a different URL and error code

Description: Sometimes it's required to return a specific return code and URL for a given URI
Required
Configuration
Protected rule exists for a given resource.
Example
# Regardless of the behavior, 
# for the given protected resource
# return 301 
return 301 https://www.okta.com;

 

Specify a behavior based on query arguments

Description: Behavior for a given URI can depend on incoming query values.  For example to skip authentication for test data.
Required
Configuration
Protected rule exists for a given resource.
Example
#If the query argument test is equal to demo 
#then set the policy type field to NO_AUTH
if ($arg_test = "demo") {
    set $policy_type "NO_AUTH";
}

Rewrite URL Strings

Description: Despite turning on url re-writing in the gateway, some links and redirects are pointing the browser to the wrong place.

Scenario

Gateway is gw.okta.com
Protected server is app1.okta.com
Some links/redirects point to gw.okta.com instead of app1.okta.com

Required
Configuration
Protected rule exists for a given resource.
Example
proxy_redirect http://gw.okta.com https://app1.okta.com;

Redirect non-Chrome agents to a different location

Customer wants to prevent bots and other automatic requests from hitting their servers.
Redirect all users not using a specific user agentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. (in this case Chrome) to a different URL

Scenario

If user agent is Chrome
Redirect to specific URL and return 301 (moved permanently)

Required
Configuration
Protected rule exists for a given resource.
Example
if ($http_user_agent !~* Chrome ) {								 
    return 301 https://www.okta.com; 
}

Extend AJAX Session Handling

Applications which use AJAX calls hang or require refresh after session timeout.

Scenario

Customer application makes AJAX calls.
Application is idle for a period and session times out.
Application then makes a follow up AJAX call which fails due to inactive session.

Required
Configuration
Protected rule exists for a given resource.


Once included, the associated script executes on the defined interval, checking if a user session is inactive. When a user session expires, the script alerts the user and refreshes the page. The user then gets a new session if an Okta session exists, otherwise the user must reauthenticate.

 

The script accepts 3 parameters

  • oagSMTimeoutSeconds: Required, no default. Frequency to run the script to check session in seconds.
  • oagSMAlertEnabled: Default:false. Show alert if true.
  • oagSMAlertMessage: Message to be displayed in alert.
    Defaults Session timed out due to inactivity.

Review and select the appropriate scenario below:

Applications are considered to be using JQuery if the application page already includes the JQuery library.

Application uses JQuery
Note, replace sample message with customer facing message.
proxy_set_header Accept-Encoding "";
subs_filter_types text/html;
subs_filter "</head>" 
"<script type=\"text/javascript\">
   window.oagSMParams={\"oagSMTimeoutSeconds\" : 60, \"oagSMAlertEnabled\" : true, 
                       \"oagSMAlertMessage\" : \"Your message to be displayed\"};
 </script>
<script src=\"/AQUNAAsIAAM/js/sessionTimeout.js\"></script></head>";
Application doesn't use JQuery
Note, replace sample message with customer facing message
proxy_set_header Accept-Encoding "";
subs_filter_types text/html;

subs_filter "</head>" 
"<script type=\"text/javascript\">
    window.oagSMParams={\"oagSMTimeoutSeconds\" : 60, \"oagSMAlertEnabled\" : true, 
                        \"oagSMAlertMessage\" : \"Your message to be displayed\"};
</script>
<script type="text/javascript" src="/AQUNAAsIAAM/dist/jquery-2.2.4.min.js">
</script>
<script src=\"/AQUNAAsIAAM/js/sessionTimeout.js\"></script></head>";
Application uses iFrame and JQuery
Customer must identify a tag to replace represented by <tag-to-replace> in one of the iFrame pages.
proxy_set_header Accept-Encoding "";
subs_filter_types text/html;

subs_filter "</tag-to-replace>" 
"<script type=\"text/javascript\">
   window.oagSMParams={\"oagSMTimeoutSeconds\" : 60, \"oagSMAlertEnabled\" : true, 
                       \"oagSMAlertMessage\" : \"Your message to be displayed\"};
 </script>
<script src=\"/AQUNAAsIAAM/js/sessionTimeout.js\"></script></tag-to-replace>";
Application uses iFrame and doesn't use JQuery
Customer must identify a tag to replace represented by <tag-to-replace> in one of the iFrame pages.
proxy_set_header Accept-Encoding "";
subs_filter_types text/html;


subs_filter "</tag-to-replace>" 
"<script type=\"text/javascript\">
    window.oagSMParams={\"oagSMTimeoutSeconds\" : 60, \"oagSMAlertEnabled\" : true, 
                        \"oagSMAlertMessage\" : \"Your message to be displayed\"};
</script>
<script type="text/javascript" src="/AQUNAAsIAAM/dist/jquery-2.2.4.min.js">
</script>
<script src=\"/AQUNAAsIAAM/js/sessionTimeout.js\"></script></tag-to-replace>";

 

Top