Select Services rule set

The rules in this rule set retrieve the specified list of cloud services, which the authenticated user or users of a shared account are allowed to access. The list and other information that you configure using the rules in this rule set are then available to the module for other SSO operations.

Nested library rule set – Select Services
CriteriaAlways
Cycles – Requests (and IM)

This rule set contains the following rules.

Add default SSO services (individual accounts)

Rule element Definition
Criteria

Authentication.IsAuthenticated equals true AND

String.IsEmpty(Authentication.UserName) equals false

Action Continue
Events SSO.AddServices ("defaultIDP",

Authentication.UserName,

Default SSO Services, {

"label":"Individual",

"permit-usage":"yes",

"permit-management":"yes"

})<Default>

If the user is authenticated, the Single Sign On module retrieves the specified list of cloud services, which the user is then allowed to access.

The Single Sign On module executes the event with the following properties and settings:

  • "defaultIDP" — Specifies the domain in the credential store where user account information is stored.
  • Authentication.UserName — Specifies the name of the authenticated user.
  • Default SSO Services — Specifies a list of services that the authenticated user is allowed to access.
  • The following options form one parameter in JSON format:
    • "label" — Specifies the type of account: individual or shared.
    • "permit-usage" — Allows you to permit, deny, or require OTP authentication for access to the services on the list by the authenticated user. To configure access, specify the following values respectively: "yes", "no", or "otp".
    • "permit-management" — Allows you to permit, deny, or require OTP authentication for access to account management functions by the authenticated user. To configure access, specify the following values respectively: "yes", "no", or "otp".
  • <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.

Add OTP secured SSO services (individual accounts, use after OTP authentication)

Rule element Definition
Criteria

Authentication.IsAuthenticated equals true AND

String.IsEmpty(Authentication.UserName) equals false

Action Continue
Events SSO.AddServices ("defaultIDP",

Authentication.UserName,

OTP Secured SSO Services, {

"label":"Individual",

"permit-usage":"otp",

"permit-management":"otp"

})<Default>

If the user is authenticated, the Single Sign On module retrieves the specified list of cloud services. The user is allowed to access or manage these OTP-secured services after authenticating again with a one-time password entered on the launchpad.

The module executes the event with the following properties and settings:

  • "defaultIDP" — Specifies the domain in the credential store where user account information is stored.
  • Authentication.UserName — Specifies the name of the authenticated user.
  • OTP Secured SSO Services — Specifies a list of services that the authenticated user is allowed to access after authenticating again with a one-time password.
  • The following options form one parameter in JSON format:
    • "label" — Specifies the type of account: individual or shared.
    • "permit-usage" — Allows you to require OTP authentication for access to the services on the list by the authenticated user. Value: "otp"
    • "permit-management" — Allows you to require OTP authentication for access to account management functions by the authenticated user. Value: "otp"
  • <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.

Add shared SSO services (shared accounts)

Rule element Definition
Criteria Always
Action Continue
Events SSO.AddServices ("defaultIDP",

"sharedAccounts",

Shared SSO Services, {

"label":"Shared",

"permit-usage":"yes",

"permit-management":"yes"

})<Default>

The Single Sign On module retrieves the specified list of cloud services, which authenticated users of the shared account are then allowed to access.

  • "defaultIDP" — Specifies the domain in the credential store where user account information is stored.
  • "sharedAccounts" — Specifies a shared account.
  • Shared SSO Services — Specifies a list of services, which authenticated users of the shared account are allowed to access.
  • The following options form one parameter in JSON format:
    • "label" — Specifies the type of account: individual or shared.
    • "permit-usage" — Allows you to permit, deny, or require OTP authentication for access to the services on the list by users of the shared account. To configure access, specify the following values respectively: "yes", "no", or "otp".
    • "permit-management" — Allows you to permit, deny, or require OTP authentication for access to account management functions by users of the shared account. To configure access, specify the following values respectively: "yes", "no", or "otp".
  • <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.

Handle single sign on using memorable hosts

Rule element Definition
Criteria Map.HasKey (SSO Host to Service ID mapping, URL.Host) equals true
Action Redirect
Events Set Redirect.URL = "http://" + SSO.ManagementHost<Default> + "/login?service=" + Map.GetStringValue (SSO Host to Service ID mapping, URL.Host)

If the SSO Host to Service ID Mapping includes the host name configured for the requested cloud service, the request is redirected to the URL configured for that service.

The Single Sign On module constructs the redirect URL from the specified string values and the following properties and settings:

  • SSO.ManagementHost — Specifies the host name of the SSO service provided by Web Gateway.
  • <Default> — Specifies settings for connecting to the SSO service provided by Web Gateway.
  • Map.GetStringValue (SSO Host to Service ID Mapping, URL.Host) — Looks up the host name of the requested service in the SSO Host to Service ID map and returns the Service ID of that service.