Access policies
We can use access policies to perform step-up and reauthentication during a single sign-on flow based on contextual information. Access policies can be enforced at a federation or at API Protection for OAuth and OpenID Connect. Access policies are defined as JavaScript. Example scenarios:
- Restrict SSO to applications based on user and group membership.
- Restrict SSO to applications based on devices, locations, and time.
- Require more authentication steps for SSL to sensitive applications. Examples include re-authentication through an SMS one-time password, or confirmation of a push notification to a mobile device.
- Enforce user authentication requirements as demanded by an application, through a service provider, to grant SSO.
Access policies can take contextual information as input:
- User information, such as user, groups, attributes
- Request information, such as HTTP headers, HTTP parameters, and cookies
- Single sign-on context, such as federation, partner, and authentication request. For OAuth and OpenID Connect the context includes Client ID, scope, response type, and other attributes.
Based on the contextual information, the administrator can choose from the following actions:
Allow The user is allowed SSO. Deny The user is denied SSO. Challenge The user must complete a challenge before SSO can proceed.
After an access policy is defined, it can be applied, used, and enforced on the following types of deployments.
- SAML 2.0 identity provider federation
- SAML 2.0 service provider partner to an identity provider federation
- OpenID Connect and API Protection Definition
Access policies cannot be applied or used by the following deployments.
- SAML 2.0 service provider federation
- SAML 2.0 identity provider partner to a service provider federation
- OpenID Connect and API Protection Client
- OpenID Connect Relying Party
For information, see Create an access policy.
- Create an access policy
- Access policy development
- Template files for access policies
- Manage access policies
- Sample file for Access Policies
Parent topic: Global settings