Rule-Based Authentication

Using an ordered list of authentication rules, rule-based authentication provides support for multiple realm, multiple domain, and other special authentication requirements. When a request is processed, the rule list is traversed top to bottom, and the first match is applied.

Authentication rules specify:

  1. How to match a user. By:
    • IP address
    • Inbound proxy port (explicit proxy only)
    • User-Agent value
    • A combination of the above
  2. The domain or ordered list of domains to authenticate against.

    With a list of domains, the first successful authentication is cached and used in subsequent authentications. If IP address caching is configured, the IP address is cached. If Cookie Mode is configured, the cookie (user) is cached.

  3. Whether a customizable web portal page should be used for authentication.

In rule-based authentication, only the first matching rule is tried. If authentication is unsuccessful, no further authentication is attempted.

Rule-based authentication is designed to meet these special requirements:

  • Multiple realm networks: Rule-based authentication supports multiple realm networks in which domains do not share trust relationships and therefore require that each domain’s members be authenticated by a domain controller within their domain. In this environment rules are created that specify:
    • Members of the realm (untrusted domain) by IP address or proxy port
    • The realm (domain) they belong to
  • Authentication when domain membership is unknown: Some organizations do not always know what domain a user belongs to. For example, this can happen when organizations acquire new businesses and directory services are not mapped or consolidated. The unknown domain membership problem can be handled in rule-based authentication by creating a rule for IP address lists or ranges that specifies an ordered list of domains to attempt to authenticate against. The first successful authentication is remembered and used in later authentications. If authentication is not successful or the browser times out, no authentication is performed.
  • Authentication based on User-Agent value: One or more User-Agent value can be specified in an authentication rule. Often this is a list of browsers. When the User-Agent value matches a rule, authentication is performed against the specified domain(s). If the User-Agent value doesn’t match any rule and no rule matches based on other values, no authentication is performed (this is always true in rule-based authentication; if no rule matches, no authentication is performed).

For use case examples see Rule-based authentication use cases.

Note:

If all the users in your network can be authenticated by domain controllers that share trust relationships, you probably don’t need rule-based authentication.

However, the option is well suited to single domain environments that may benefit from multiple rules based on IP addresses, inbound proxy port (explicit proxy), and/ or User-Agent values.