Get Login Action rule set

This rule set retrieves information about the connector to the requested cloud service or application. For HTTP cloud connectors, processing of the rule set then stops. For other cloud connectors, the rule set checks whether the user has the right to access the requested cloud service or application.

Nested library rule set – Get Login Action
CriteriaSSO.Action<Default> equals "GetLoginAction"
Cycles – Requests (and IM)

This rule set contains the following rules.

Get connector info

Rule element Definition
Criteria Always
Action Continue
Events Set User-Defined.sso-conn-info = SSO.GetConnectorInfo

(String.ToSSOConnector (URL.GetParameter ("service")))

The Single Sign On module retrieves information about the connector to the service the user is requesting and stores it as a JSON object in a local variable named sso-conn-info. This information includes the following:

  • Name (string) — Specifies a user-defined name for the cloud connector.
  • Service ID (string) — Uniquely identifies the cloud service or application.
  • Type (string) — Specifies the authentication method used by the cloud service.

    Values: HTTP, SAML2

  • Inline (Boolean) — If true, the cloud connector supports a dynamic HTTP cloud service, which requires single sign-on in proxy or inline mode.
  • Deprecated (Boolean) — If true, the cloud connector is no longer supported.

Stop rule set for form based logins

Rule element Definition
Criteria JSON.AsString (JSON.GetByName (User-Defined.sso-conn-info, "type"))

equals "http"

Action Stop Rule Set
Events None

If the cloud connector type is HTTP, this rule stops the Get Login Action rule set.

Validate user's access permissions

Rule element Definition
Criteria SSO.UserHasAccessToService (URL.GetParameter ("realm"),

URL.GetParameter ("user"),

URL.GetParameter ("service"),

"usage")<Default> equals false

Action Block<SSO: User Has No Access To Service>
Events None

This rule checks the "service" and "usage" parameters to verify that the user has the right to access the requested service or application. If the "service" parameter is empty or the "usage" parameter is set to "no", this rule blocks access to the requested service.

This rule is executed with the following settings:

  • <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.
  • <SSO: User Has No Access To Service> — Specifies the language and template settings used to generate the block message for the user.