Manage application behaviors

Access Gateway supports managing application behaviors. Application behaviors define actions taken when an event occurs such as log in, log out or in the case of an error.

To add a behavior:

  1. Navigate to your Access Gateway instance.

  2. From the Topology tab or the Applications tab, open the application.
  3. In the Settings pane, expand Behaviors.

Choose one of the following custom behaviors:

Login

Allows you to define login endpoints that will aid in creating the user session.

Fields:

Field Description
Login Dropdown, behavior on login.
Login path Path to login endpoint URL, may be relative or fully qualified depending on use.
Executed after successful login.

Login supports the following:

Selection Behavior

Login Path

Don't define login behavior Default.
No specialized login behavior.

Not applicable.

Use Okta Access Gateway login page When selected, Access Gateway will show the auth module login page.

Valid relative path in the protected application.


Auth module must refer to a previously defined auth module.

Use Application login page When selected, use the associated unprotected path to an application hosted login page.

Valid relative path in the protected application.

Define a custom login URL When selected, Access Gateway will forward user to Custom URL on login.

Login Path must contain a valid relative path in the protected application.
Custom URL must contain a valid fully qualified URL executed after successful login.

Logout

Allows you to define logout endpoints that will aid in destroying the user session.

Fields:

Field Description
Logout Dropdown, behavior on logout.
Logout path Path to relative logout endpoint URL.
Single LogoutA SAML Service Provider sends a logout request to the Identity Provider which results in both the Identity Provider and Service Provider’s current session to close. Okta only supports SP-initiated log out. When enabled, destroy both the Access Gateway and Okta session. When disabled to destroy the Access Gateway session.  
Default: enabled.

Logout Dropdown value

Behavior

End page displayed

Show Logout page

Default.
Reset Okta and Access Gateway sessions, based on value of Single Logout toggle.


Post session clean up, Access Gateway will display the Access Gateway logout page.

Show Login page

When selected, reset Okta and Access Gateway sessions, based on value of Single logout toggle.

Post session clean up, Access Gateway will display the Access Gateway login.

Use Application Logout page

When selected, destroy Okta and Access Gateway sessions, based on value of Single Logout toggle.
Note: The value of Logout path must be a valid relative path in the protected application.

Post session clean up, Access Gateway will display the application's logout page.
This option can be used if your application already has a logout page or if custom logic is required for actions taken after the end user logout. For example, clearing sessions in a third-party service or writing to an external audit log.

Define a custom Logout URL

When selected, Access Gateway does not destroy the session, and only redirect to the specified URL.
Note: The value of the Logout path must be a fully qualified URL.

On logout redirect to the specified Post Login URL which is expected to perform any required Okta or Access Gateway session cleanup.
This is the default URL end usersEnd users are people in your org without administrative control. They can authenticate into apps from the icons on their My Applications home page, but they are provisioned, deprovisioned, assigned, and managed by admins. are directed after logout. By default this will be the Post Login value. Click the checkbox to customize.


Post Logout URL

Default URL end users are directed to after logout.
By default this will be the Post Login value.
Enable the field and enter an appropriate URL.
Can be used to redirect the user to a central logout page hosted by the customer, or to direct the end user back to the home page of your company, or something similar.

Error Behavior

Allows you to define error endpoints called when errors occur. Error behavior can be used redirect the user to a central logout page hosted by the customer, to direct the end user back to the home page of your company, or something similar.

Fields:

Field Description
Error Dropdown, behavior on error.
Error path Path to error endpoint URL, may be relative or fully qualified depending on use.

Error Dropdown value Behavior

Error Path

Use Okta Access Gateway error page Default.
Define an error path for this application. By default, show the generic Access Gateway error page.

Not applicable.

Use Application error page When selected, display an application hosted error page.
Note: Error path must be a valid path in your application.

Valid relative path which must exist in the protected application.

Define a custom error URL When selected, and the error path is called, redirect end user to specified custom Error path URL path.

In addition to Error path, enter a fully qualified path which is used as a error handler.
Custom URL must contain a valid fully qualified URL.
Typically used to execute an invoke a error flow.

Dont define any Error Behavior

When selected, Access Gateway will not provide any error behavior.

Not applicable.

No Session/Session Expired

Allows you to define the end user experience when the Access Gateway has no session or the current session expires for this application.

Dropdown values
Redirect to IDPAn acronym for Identity Provider. It is a service that manages end user accounts analogous to user directories such as LDAP and Active Directory, and can send SAML responses to SPs to authenticate end users. Within this scenario, the IdP is Okta. Default.
End user will be redirected back to Okta to be re-authenticated. If their Okta session is still active, the end user will silently redirected back to the application with a refreshed application session.
Force reauthentication at IDP When selected, redirects the end user back to Okta for authentication.
Note: End user will be asked to re-authenticate, even if their Okta session is active.
Show default no session page When selected, display default Access Gateway no session page.

Redirect to custom URL

When selected, redirect end user to specified custom URL.
Custom URL/URI must specify a valid URL.

Policy Denied

Allows you to define the end user experience when Access Gateway denies access to a resource in the case of a policy failure.

Dropdown values
Show default policy failure page Default.
Display default Access Gateway policy failure page.
Return 403 status code When selected, return blank page with HTTP 403 status code.
Redirect to custom URL When selected, redirect end user to specified custom URL on policy denied.
Custom URL/URI must specify a valid URL.

Session Integrity Failed

Allows you to define the end user experience when Access Gateway detects a session integrity failure.
Common if end users are changing networks while maintaining an active application session.
Access Gateway will finger print the remote-IP and deny access.

Dropdown values
Show default Security warning page Default.
Display default Access Gateway security warning page.
Return 405 status code When selected, return blank screen with 405 status code.
Redirect to IDP When selected, redirect end user to specified custom URL on session integrity error.
Custom URL/URI must specify a valid URL.

Force reauthentication at IDP

Force end user to re-authenticate. Once re-authenticated will SSOAn acronym for single sign-on. In a SSO system, a user logs in once to the system and can access multiple systems without being prompted to sign in for each one. Okta is a cloud-based SSO platform that allows users to enter one name and password to access multiple applications. Users can access all of their web applications, both behind the firewall and in the cloud, with a single sign in. Okta provides a seamless experience across PCs, laptops, tablets, and smartphones. back into application.

Do not enforce

Do not enforce session integrity.

Application Maintenance

Allows you to define the end user experience when the application is in maintenance mode.

Dropdown values
Default Application Maintenance page Default.
Display default Okta Access Gateway application maintenance page.
Redirect to custom URL When selected, redirect end user to specified custom URL when in maintenance mode.
Custom URL/URI must specify a valid URL.

Application Inactive

Allows you to define the end user experience when the application is in inactive mode.

Dropdown values
Default Application inactive page Default.
Display default Access Gateway application inactive page.
Redirect to custom URL When selected, redirect end user to specified custom URL when application is inactive.
Custom URL/URI must specify a valid URL.

Application Offline

Allows you to define the end user experience when the application is detected as offline.

Dropdown values
Default Application inactive page

Default.

Display default Access Gateway application offline page.

Redirect to custom URL When selected, redirect end user to specified custom URL when application is offline.
Custom URL/URI must specify a valid URL.
Top