Define application behaviors
Application behaviors define what actions to perform when an event occurs.
Add a behavior to an application
- Go to Access Gateway Admin UI console.
- Open the application from either the Topology or Applications tab.
- In the Settings pane, expand Behaviors.
- Choose one of the following custom behaviors:
Login
This behavior allows you to define login endpoints that aid in creating the user session.
| Field | Description |
|---|---|
| Login | Dropdown list box, behavior on login. |
| Login path | Path to login endpoint URL. Relative or fully qualified depending on use. Executed after successful login. The URL must be unique across Login, Logout, and Error behaviors. Access Gateway doesn't support using the same URL for multiple behaviors. The URL can't overlap with an existing defined policy. See Manage application policy. |
Login supports the following:
| Dropdown list value | Behavior |
Login Path |
|---|---|---|
| Don't define login behavior | Default. No specialized login behavior. | Not applicable. |
| Use Okta Access Gateway login page | When selected, Access Gateway shows the Auth Module login page. | Valid relative path in the protected application. Auth module must refer to a previously defined Auth Module. |
| Use Application login page | When selected, use the associated unprotected path to an application hosted login page. | Valid relative path in the protected application. |
| Define a custom login URL | When selected, Access Gateway forwards the user to Custom URL on login. | Login Path must contain a valid relative path in the protected application. Custom URL must contain a valid fully qualified URL executed after successful login. |
Logout
This behavior allows you to define logout endpoints that aid in destroying user sessions.
Access Gateway uses the primary email address from the Okta org to create and identify the user session. For security reasons, Okta recommends that you never use the same primary email address in multiple user accounts. Instead, use a unique primary email address for each user account. This prevents all user accounts with the same primary email address in their profile from having their session terminated if any one of those users signs out, or if their session is terminated by Okta, such as when Universal Logout is enabled.
| Field | Description |
|---|---|
| Logout | Dropdown list box, behavior on logout. |
| Logout path | Path to relative endpoint URL. Redirect to this path on log out as defined by the Logout dropdown. The URL must be unique across Login, Logout, and Error behaviors. Access Gateway doesn't support using the same URL for multiple behaviors. The URL can't overlap with an existing defined policy. See Manage application policy. |
| Single Logout |
|
|
Universal Logout |
|
| Post Logout URL | Only shown when Define a custom logout URL is selected. |
|
Dropdown list value |
Behavior |
End page displayed |
|---|---|---|
| Show Logout page | Default. Reset Okta and Access Gateway sessions based on the value of Single Logout toggle. | After a session cleanup, display the Access Gateway logout page to show that the logout was successful. |
|
Show Login page |
When selected, reset Okta and Access Gateway sessions based on the value of Single logout. |
After a session cleanup, Access Gateway will;
|
| Use Application Logout page | When selected, destroy Okta and Access Gateway sessions based on the value of the Single Logout toggle. The value of the Logout path must be a valid relative path in the protected application. |
After session cleanup, Access Gateway displays the page specified by the logout path field. You can use this option if your application already has a logout page or if a custom logic is required for actions taken after the end user logs out. For example, clearing sessions in a third-party service or writing to an external audit log. |
| Define a custom Logout URL | When selected, destroy Okta and Access Gateway sessions based on the value of Single Logout. The value of the Logout path must be a fully qualified URL. |
The URL that end users are directed to after logging out. By default, this is the Post Login value. On log out, redirect to the specified Post Logout URL. Before redirecting this URL the Access Gateway and Okta sessions are destroyed based on specified SLO behavior. |
| Don't define any logout behavior | Neither the Access Gateway app session nor the Okta session are destroyed on logout. | N/A |
Logout state transitions:
Post Logout URL
The default URL that end users are directed to after logout. This defaults to the Post Login value.
Enable the field and enter an appropriate URL. Can be used to redirect the user to a central logout page hosted by the customer, or to direct the end user back to the home page of your company, or something similar.
Error
This behavior allows you to define error endpoints to call when errors occur. Error behavior can be used to redirect the user to a central logout page hosted by the customer, to direct the end user back to the home page of your company, or something similar.
| Field | Description |
|---|---|
| Error | Dropdown list, behavior on error. |
| Error path | Path to error endpoint URL. It may be relative or fully qualified depending on use. The URL must be unique across Login, Logout, and Error behaviors. Access Gateway doesn't support using the same URL for multiple behaviors. The URL can't overlap with an existing defined policy. See Manage application policy. |
| Dropdown value | Behavior |
Error Path |
|---|---|---|
| Use Okta Access Gateway error page | Default. Define an error path for this application. By default, it shows the generic Access Gateway error page. | Not applicable. |
| Use Application error page |
When selected, it displays an application hosted error page. Error path must be a valid path in your application. |
Valid relative path that must exist in the protected application. |
| Define a custom error URL | When selected and the error path is called, it redirects the end user to a specified custom Error path URL path. | In addition to the Error path, enter a fully qualified path that is used as an error handler. Custom URL must contain a valid fully qualified URL. Typically used to execute an error flow. |
| Don't define any Error Behavior | When selected, Access Gateway doesn't provide any error behavior. | Not applicable. |
Error state transitions
No Session/Session Expired
This behavior allows you to define the end user experience when the Access Gateway has no session or the current session expires for this application.
| Dropdown list values | |
|---|---|
| Redirect to IDP | Default. End user is redirected to Okta to be re-authenticated. If their Okta session is still active, the end user is silently redirected back to the application with a refreshed application session. |
| Force reauthentication at IDP |
When selected, it redirects the end user to Okta for authentication. The end user is asked to reauthenticate, even if their Okta session is active. |
| Show default no session page | When selected, it displays the default Access Gateway no session page. |
| Redirect to custom URL | When selected, it redirects the end user to a specified custom URL. Custom URL/URI must specify a valid URL. |
Session state transitions.
Policy Denied
This behavior allows you to define the end user experience when Access Gateway denies access to a resource in the case of a policy failure.
| Dropdown list values | |
|---|---|
| Show default policy failure page | Default. Displays the default Access Gateway policy failure page. |
| Return 403 status code | When selected, return a blank page with HTTP 403 status code. |
| Redirect to custom URL | When selected, redirect the end user to a specified custom URL on policy denied. Custom URL/URI must specify a valid URL. |
Session Integrity Failed
This behavior allows you to define the end user experience when Access Gateway detects a session integrity failure. This is common when end users change networks while maintaining an active application session. Access Gateway fingerprints the remote-IP and denies access.
| Dropdown list values | |
|---|---|
| Show default Security warning page | Default. Displays the default Access Gateway security warning page. |
| Return 405 status code | When selected, it returns a blank page with 405 status code. |
| Redirect to IDP | When selected, it redirects the end user to a specified custom URL on a session integrity error. Custom URL/URI must specify a valid URL. |
| Force reauthentication at IDP | Force the end user to re-authenticate. Once re-authenticated will SSO back into application. |
| Do not enforce | Don't enforce session integrity. |
Certificate validation behavior
Certificate validation behavior is an Early Access feature. To enable it, contact Okta Support.
This behavior allows you to define the fields and behaviors used when validating requests using certificate chains.
By specifying incoming and outgoing certificate header fields, and a certificate behavior, you're implicitly defining that the associated application uses Client Certificate chains for additional authentication.
| Field | Description |
|---|---|
| Client Certificate Validation Failed | Dropdown list, behavior on client certificate validation failure. |
| Custom URL/URI | Path to a custom endpoint. Relative or fully qualified depending on use. Executed only on redirect to a Custom URL. |
| Incoming Header Field Name | The header attribute containing the PEM format certificate. The value in this attribute is compared to certificate chain certificates. |
| Outgoing Header Field Name | The header attribute is used to contain the certificate after validation. The value of the incoming header field is copied to the value of this header field on redirect to the requested back and resource. |
Client Certificate Validation Failed supports the following:
| Dropdown list value | Behavior |
|---|---|
| Disable certificate checking | Default, certificate checking is disabled for this application. |
| Redirect the end user to a custom URL | On certificate validation failure, redirect to the URL/URI listed in the Custom URL/URI field. |
| Return a blank page with an HTTP 405 status code | On certificate validation failure, redirect to a blank (empty) page and return the HTTP 405 status t the caller. |
| Present a default error page with an "Invalid certificate message" | On certificate validation failure, display the Invalid certificate error page to the end user. |
Application Maintenance
This behavior allows you to define the end user experience when the application is in maintenance mode.
| Dropdown list values | |
|---|---|
| Default Application Maintenance page | Default. Displays the default Okta Access Gateway application maintenance page. |
| Redirect to custom URL | When selected, it redirects the end user to a specified custom URL when in maintenance mode. Custom URL/URI must specify a valid URL. |
Application Inactive
This behavior allows you to define the end user experience when the application is in inactive mode.
| Dropdown list values | |
|---|---|
| Default Application inactive page | Default. Displays the default Access Gateway application inactive page. |
| Redirect to custom URL |
When selected, it redirects the end user to a specified custom URL when the application is inactive. Custom URL/URI must specify a valid URL. |
Application Offline
This behavior allows you to define the end user experience when the application is detected as offline.
| Dropdown list values | |
|---|---|
| Default Application inactive page | Default. Displays the default Access Gateway application offline page. |
| Redirect to custom URL | When selected, it redirects the end user to a specified custom URL when the application is offline. Custom URL/URI must specify a valid URL. |