Previous Topic: How to Configure Global PoliciesNext Topic: Create a Global Rule for Authorization Events

Policy Server GuidesPolicy Server Configuration GuideGlobal Policies, Rules, and ResponsesHow to Configure Global PoliciesSmkeytool Examples for Windows Platformshelp OptionCreate a Global Rule for Authentication Events

Create a Global Rule for Authentication Events

You create a global rule for authentication events to control actions that occur when users authenticate to gain access to a resource.

To create a global rule

  1. Click Policies, Global.
  2. Click Global Rule, Create Global Rule.

    The Create Global Rule pane appears.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  3. Enter the global rule name.
  4. Specify agent and resource settings in the Realm and Resource group box.

    Note: If you specify an Agent Group and have also configured domain-specific rules associated with the same resource, you may adversely affect system performance by effectively duplicating processing steps. Consider domain-specific rules that may duplicate the responses generated by global rules. In such cases, only one response is returned to the Agent because the Policy Server automatically deletes duplicate responses before passing information back to the requesting Agent.

  5. Select Authentication events from the Action group box.
  6. Select an OnAuth event from the Action List.
  7. Click Submit.

    The global rule is saved.

Global Rules for Authorization Events

Global rules that include SiteMinder authorization events allow SiteMinder to call responses based on whether a user is or is not authorized for the resource the user requested. Authorization events occur after a user is authenticated, if a rule that protects a resource contains an On-Access event. When the user has been granted or denied access based on their privileges, the appropriate event is triggered.

The following is a list of possible On-Access events:

On-Access-Accept

Occurs as the result of successful authorization. This event may be used to redirect users who are authorized to access a resource.

On-Access-Reject

Occurs as the result of failed authorization. This event may be used to redirect users who are not authorized to access a resource.

When a user is authorized (or rejected), the Policy Server passes any responses associated with the applicable On-Access rule back to the requesting Agent.

Policy Considerations for OnAccessReject Rules

Consider how the Policy Server processes global policies and the special circumstances created by OnAccessReject rules when creating global rules that include OnAccessReject events.

An OnAccessReject rule will not fire if it is in the same policy as a GET / POST rule. When a user is authenticated, SiteMinder resolves the identity of the user. Therefore, if the OnAccessReject rule and the GET / POST rule are in the same policy, then a user who is allowed access to a resource is the same user who should be redirected on an OnAccessReject event. Since the user is allowed access, the reject event never applies.

To resolve this discrepancy, create a separate policy for the OnAccessReject rule, which may include other event rules, and specify the users for which it should apply.

For example, in an LDAP user directory, User1 should have access to a resource and everyone else in the group, ou=People, o=company.com, should be redirected to an OnAccessReject page. Two policies are required:

Policy1

Includes a GET / POST rule that allows access for User1.

Policy2

Includes the OnAccessReject rule and a Redirect response, and specifies the group ou=People, o=company.com.

Since User1 is authorized, the OnAccessReject rule will not fire when User1 access the resource. However, the OnAccessReject rule will fire for all other users in the group, ou=People, o=company.com, because they are not authorized to access the resource.