11.
IntheUserIdentitysection,specifyhowtheSASeriesApplianceandtheSAMLWeb
serviceshouldidentifytheuser:
SubjectNameType—SpecifywhichmethodtheSASeriesApplianceandSAML
Webserviceshouldusetoidentifytheuser:
DN—SendtheusernameintheformatofaDN(distinguishedname)attribute.
EmailAddress—Sendtheusernameintheformatofanemailaddress.
Windows—SendtheusernameintheformatofaWindowsdomainqualified
username.
Other—SendtheusernameinanotherformatagreeduponbytheSASeriesSSL
VPNApplianceandtheSAMLWebservice.
SubjectName—UsevariablestospecifytheusernametotheSAMLWebservice.
Or,enterstatictext.
NOTE: YoumustsendausernameorattributethattheSAMLWeb
servicewillrecognize.
DeviceIssuer—EnteranamethatuniquelyidentifiestheSAMLauthority,suchas
thedevicehostname.
12.
IntheOptionssection,specify:
MaximumCacheTime—Youcaneliminatetheoverheadofgeneratingan
authorizationdecisioneachtimetheuserrequestthesameURLbyindicatingthat
theSASeriesSSLVPNAppliancemustcachetheaccessmanagementsystem’s
authorizationresponses.EntertheamountoftimetheSASeriesSSLVPNAppliance
shouldcachetheresponses(inseconds).
IgnoreQueryData—Bydefault,whenauserrequestsaresource,theSASeriesSSL
VPNAppliancesendstheentireURLforthatresource(includingthequery
parameter)totheSAMLWebserviceandcachestheURL.Youcanspecifythatthe
SASeriesSSLVPNApplianceshouldremovethequerystringfromtheURLbefore
requestingauthorizationorcachingtheauthorizationresponse.
13.
ClickSaveChanges.
14.
OntheSAMLAccessControlPoliciespage,orderthepoliciesaccordingtohowyou
wanttheSASeriesSSLVPNAppliancetoevaluatethem.Keepinmindthatoncethe
SASeriesSSLVPNAppliancematchestheresourcerequestedbytheusertoaresource
inapolicy’s(oradetailedrule’s)Resourcelist,itperformsthespecifiedactionand
stopsprocessingpolicies.
225
Copyright©2012,JuniperNetworks,Inc.
Chapter8:AuthenticationandDirectoryServers
Pdf markup text size - Compress reduce PDF size in C#.net, ASP.NET, MVC, Ajax, WinForms, WPF
C# Code & .NET API to Compress & Decompress PDF Document
advanced pdf compressor online; adjust size of pdf
Pdf markup text size - VB.NET PDF File Compress Library: Compress reduce PDF size in vb.net, ASP.NET, MVC, Ajax, WinForms, WPF
VB.NET PDF Document Compression and Decompression Control SDK
change font size pdf document; reader pdf reduce file size
Copyright©2012,JuniperNetworks,Inc.
226
JunosPulseSecureAccessServiceAdministrationGuide
C# PDF Annotate Library: Draw, edit PDF annotation, markups in C#.
Provide users with examples for adding text box to PDF and edit font size and color in text box field in C#.NET program. C#.NET: Draw Markups on PDF File.
pdf compression; change page size of pdf document
C# PDF insert text Library: insert text into PDF content in C#.net
Powerful .NET PDF edit control allows modify existing scanned PDF text. Ability to change text font, color, size and location and output a new PDF document.
pdf text box font size; change font size in pdf text box
CHAPTER9
AuthenticationRealms
AuthenticationRealmOverviewonpage227
CreatinganAuthenticationRealmonpage228
DefiningAuthenticationAccessPoliciesonpage229
RoleMappingRulesonpage230
SpecifyingRoleMappingRulesforanAuthenticationRealmonpage231
UsingtheLDAPServerCatalogonpage233
CustomizingUserRealmUIViewsonpage237
AuthenticationRealmOverview
Anauthenticationrealmspecifiestheconditionsthatusersmustmeetinordertosign
intotheSASeriesAppliance.Arealmconsistsofagroupingofauthenticationresources,
including:
Anauthenticationserver—verifiesthattheuseriswhoheclaimstobe.TheSAforwards
credentialsthatausersubmitsonasign-inpagetoanauthenticationserver.
Adirectoryserver—anLDAPserverthatprovidesuserandgroupinformationtotheSA
thattheSAusestomapuserstooneormoreuserroles.
Anauthenticationpolicy—specifiesrealmsecurityrequirementsthatneedtobemet
beforetheSAsubmitsauser'scredentialstoanauthenticationserverforverification.
Rolemappingrules—conditionsausermustmeetinorderfortheSAtomaptheuser
tooneormoreuserroles.Theseconditionsarebasedoneitheruserinformationreturned
bytherealm'sdirectoryserverortheuser'susername.
AuthenticationrealmsareanintegralpartoftheSAaccessmanagementframework,
andthereforeareavailableonallSecureAccessproducts.Note,howeverthatcustom
expressionsarenotavailableontheSA700applianceandareonlyavailableonallother
SecureAccessproductsbyspeciallicense.Therefore,whencreatingarealm,notall
administratorscancreateadvancedrole-mappingrulesusingcustomexpressions.
Related
Documentation
AboutSign-InPoliciesonpage239
DefiningAuthenticationAccessPoliciesonpage229
CreatinganAuthenticationRealmonpage228
227
Copyright©2012,JuniperNetworks,Inc.
C# PDF File Split Library: Split, seperate PDF into multiple files
Divide PDF file into multiple files by outputting PDF file size. Split PDF document by PDF bookmark and outlines. Split PDF file by output file size.
pdf file size limit; advanced pdf compressor
VB.NET PDF File Split Library: Split, seperate PDF into multiple
Divide PDF file into multiple files by outputting PDF file size. Split Split PDF File by Output File Size Demo Code in VB.NET. This
pdf change font size; pdf file size
CreatinganAuthenticationRealm
Tocreateanauthenticationrealm:
1.
Intheadminconsole,chooseAdministrators>AdminRealmsorUsers>UserRealms.
2.
OntherespectiveAuthenticationRealmspage,clickNew.Or,selectarealmandclick
Duplicatetobaseyourrealmonanexistingrealm.
3.
Enteranametolabelthisrealmand(optionally)adescription.
4.
Ifyouarecopyinganexistingrealm,clickDuplicate.Then,ifyouwanttomodifyany
ofitssettings,clicktherealm’snametoenterintoeditmode.
5.
SelectWhenediting,startontheRoleMappingpageifyouwanttheRoleMapping
tabtobeselectedwhenyouopentherealmforediting.
6.
UnderServers,specify:
Anauthenticationservertouseforauthenticatinguserswhosignintothisrealm.
Adirectory/attributeservertouseforretrievinguserattributeandgroupinformation
forrolemappingrulesandresourcepolicies.(optional)
ARADIUSaccountingservertousetotrackwhenausersignsinandoutofthe
InfranetController(optional).
7.
IfyouwanttosubmitsecondaryusercredentialstoanSSO-enabledresourceor
enabletwo-factorauthenticationtoaccesstheSecureAccessdevice,selectAdditional
authenticationserver.Then:
a.
Selectthenameofthesecondaryauthenticationserver.Notethatyoucannot
chooseananonymousserver,certificateserver,oreTrustSiteMinderserver.
b.
SelectUsernameisspecifiedbyuseronsign-inpageifyouwanttopromptthe
usertomanuallysubmithisusernametothesecondaryserverduringtheSecure
Accesssign-inprocess.Otherwise,ifyouwanttoautomaticallysubmitausername
tothesecondaryserver,enterstatictextoravalidvariableinthepredefinedas
field.Bydefault,SecureAccesssubmitsthe<username>sessionvariable,which
holdsthesameusernameusedtosignintotheprimaryauthenticationserver.
c.
SelectPasswordisspecifiedbyuseronsign-inpageifyouwanttopromptthe
usertomanuallysubmithispasswordtothesecondaryserverduringtheSecure
Accesssign-inprocess.Otherwise,ifyouwanttoautomaticallysubmitapassword
tothesecondaryserver,enterstatictextoravalidvariableinthepredefinedas
field.
d.
SelectEndsessionifauthenticationagainstthisserverfailsifyouwanttocontrol
accesstoSecureAccessbasedonthesuccessfulauthenticationoftheuser’s
Copyright©2012,JuniperNetworks,Inc.
228
JunosPulseSecureAccessServiceAdministrationGuide
C# PDF Convert to Jpeg SDK: Convert PDF to JPEG images in C#.net
Using this C#.NET PDF to JPEG conversion library component toolkit, C# developers can easily and quickly convert a large-size multi-page PDF document to a
pdf compression settings; change font size in fillable pdf
C# PDF Convert to Tiff SDK: Convert PDF to tiff images in C#.net
zoomValue, The magnification of the original PDF page size. 0.1f
change font size pdf fillable form; .pdf printing in thumbnail size
secondarycredentials.Ifselected,authenticationfailsiftheuser’ssecondary
credentialsfails.
8.
IfyouwanttousedynamicpolicyevaluationforthisrealmselectDynamicpolicy
evaluationtoenableanautomatictimerfordynamicpolicyevaluationofthisrealm’s
authenticationpolicy,rolemappingrules,androlerestrictions.Then:
a.
UsetheRefreshintervaloptiontospecifyhowoftenyouwanttheInfranetController
toperformanautomaticpolicyevaluationofallcurrentlysignedinrealmusers.
Specifythenumberofminutes(5to1440).
b.
SelectRefreshrolestoalsorefreshtherolesofallusersinthisrealm.(Thisoption
doesnotcontrolthescopeoftheRefreshNowbutton.)
c.
SelectRefreshresourcepoliciestoalsorefreshtheresourcepolicies(notincluding
MeetingandEmailClient)forallusersinthisrealm.(Thisoptiondoesnotcontrol
thescopeoftheRefreshNowbutton.)
d.
ClickRefreshNowtomanuallyevaluatetherealm’sauthenticationpolicy,role
mappingrules,rolerestrictions,userroles,andresourcepoliciesofallcurrently
signed-inrealmusers.Usethisbuttonifyoumakechangestoanauthentication
policy,rolemappingrules,rolerestrictions,orresourcepoliciesandyouwantto
immediatelyrefreshtherolesofthisrealm’susers.
9.
ClickSaveChangestocreatetherealmontheSecureAccessdevice.TheGeneral,
AuthenticationPolicy,andRoleMappingtabsfortheauthenticationrealmappear.
10.
Performthenextconfigurationsteps:
a.
Configureoneormorerolemappingrules.
b.
Configureanauthenticationpolicyfortherealm.
Related
Documentation
DefiningAuthenticationAccessPoliciesonpage229
ConfiguringUserSignInPoliciesonpage242
DynamicPolicyEvaluationonpage65
DefiningAuthenticationAccessPolicies
Anauthenticationpolicyisasetofrulesthatcontrolsoneaspectofaccess
management—whetherornottopresentarealm’ssign-inpagetoauser.An
authenticationpolicyispartofanauthenticationrealm’sconfiguration,specifyingrules
forSecureAccesstoconsiderbeforepresentingasign-inpagetoauser.Ifausermeets
therequirementsspecifiedbytherealm'sauthenticationpolicy,thenSecureAccess
presentsthecorrespondingsign-inpagetotheuserandthenforwardstheuser's
credentialstotheappropriateauthenticationserver.Ifthisserversuccessfully
authenticatestheuser,thenSecureAccessmovesontotheroleevaluationprocess.
229
Copyright©2012,JuniperNetworks,Inc.
Chapter9:AuthenticationRealms
C# PDF Convert to Word SDK: Convert PDF to Word library in C#.net
PDF document, keeps the elements (like images, tables and chats) of original PDF file and maintains the original text style (including font, size, color, links
change font size pdf form reader; best pdf compression
C# Convert: PDF to Word: How to Convert Adobe PDF to Microsoft
Support fast Word and PDF conversion with original document page size remained. Microsoft Office Word 2003 (.doc) and 2007 (.docx) versions are available.
change font size on pdf text box; pdf page size may not be reduced
Tospecifyauthenticationrealmaccesspolicies:
1.
Intheadminconsole,chooseAdministrators>AdminRealmsorUsers>UserRealms.
2.
OntherespectiveAuthenticationRealmspage,clickSpecifyingRADIUSRequest
AttributesarealmandthenclicktheAuthenticationPolicytab.
3.
OntheAuthenticationPolicypage,configureoneormoreoftheaccessmanagement
optionsdescribedintheRelatedTopicssection.
Related
Documentation
SpecifyingSourceIPAccessRestrictionsonpage67
SpecifyingPasswordAccessRestrictionsonpage72
SpecifyingCertificateAccessRestrictionsonpage71
SpecifyingBrowserAccessRestrictionsonpage69
SpecifyingSessionLimitsonpage73
RoleMappingRules
RolemappingrulesareconditionsausermustmeetinorderforSecureAccesstomap
theusertooneormoreuserroles.Theseconditionsarebasedoneitheruserinformation
returnedbytherealm'sdirectoryserverortheuser'susername.Youmustspecifyrole
mappingdirectivesinthefollowingformat:<Ifthespecifiedconditionis|isnottrue,then
maptheusertotheselectedroles>.
YoucreatearolemappingruleonRoleMappingtabofanauthenticationrealm.When
youclickNewRuleonthistab,theRoleMappingRulepageappearswithaninlineeditor
fordefiningtherule.Thiseditorleadsyouthroughthethreestepsofcreatingarule:
Specifythetypeofconditiononwhichtobasetherule.Optionsinclude:
Username
Userattribute
Certificateorcertificateattribute
Groupmembership
Customexpressions
Specifytheconditiontoevaluate,whichconsistsof:
Oneormoreusernames,userattributes,certificateattributes,groups(LDAP),or
expressionsdependingonthetypeofconditionyouselected.
Ttowhatthevalue(s)shouldequate,whichmayincludealistofusernames,user
attributevaluesfromaRADIUSorLDAPserver,client-sidecertificatevalues(static
orcomparedtoLDAPattributes),LDAPgroups,orpre-definedcustomexpressions.
Specifytherolestoassigntotheauthenticateduser.
Copyright©2012,JuniperNetworks,Inc.
230
JunosPulseSecureAccessServiceAdministrationGuide
SecureAccesscompilesalistofeligiblerolestowhichausermaybemapped,whichare
rolesspecifiedbytherolemappingrulestowhichtheuserconforms.Next,SecureAccess
evaluatesthedefinitionforeachroletodetermineiftheusercomplieswithanyrole
restrictions.SecureAccessusesthisinformationtocompilealistofvalidroles,which
arerolesforwhichtheusermeetsanyadditionalrequirements.Finally,SecureAccess
eitherperformsapermissivemergeofthevalidrolesorpresentsalistofvalidrolesto
theuser,dependingontheconfigurationspecifiedontherealm’sRoleMappingtab.
Related
Documentation
UserRolesOverviewonpage93
SpecifyingRoleMappingRulesforanAuthenticationRealm
WhencreatinganewrulethatusesLDAPorSiteMinderuserattributes,LDAPgroup
information,orcustomexpressions,youmustusetheservercatalog.
Tospecifyrolemappingrulesforanauthenticationrealm:
1.
Intheadminconsole,chooseAdministrators>AdminRealmsorUsers>UserRealms.
2.
OntherespectiveAuthenticationRealmspage,selectarealmandthenclicktheRole
Mappingtab.
3.
ClickNewRuletoaccesstheRoleMappingRulepage.Thispageprovidesaninline
editorfordefiningtherule.
4.
IntheRulebasedonlist,chooseoneofthefollowing:
Username—UsernameistheSecureAccessusernameenteredonthesign-inpage.
ChoosethisoptionifyouwanttomapuserstorolesbasedontheirSecureAccess
usernames.Thistypeofruleisavailableforallrealms.
Userattribute—UserattributeisauserattributefromaRADIUS,LDAP,orSiteMinder
server.Choosethisoptionifyouwanttomapuserstorolesbasedonanattribute
fromthecorrespondingserver.Thistypeofruleisavailableonlyforrealmsthatuse
aRADIUSserverfortheauthenticationserver,orthatuseanLDAPorSiteMinder
serverforeithertheauthenticationserverordirectoryserver.Afterchoosingthe
Userattributeoption,clickUpdatetodisplaytheAttributelistandtheAttributes
button.ClicktheAttributesbuttontodisplaytheservercatalog.
ToaddSiteMinderuserattributes,entertheSiteMinderuserattributecookie
nameintheAttributefieldintheservercatalog,andthenclickAddAttribute.
Whenyouarefinishedaddingcookienames,clickOK.SecureAccessdisplays
thenamesoftheSiteMinderuserattributecookiesintheAttributelistontheRole
MappingRulepage.
ForinformationonhowtousetheservercatalogtoaddLDAPuserattributes.
CertificateorCertificateattribute—CertificateorCertificateattributeisanattribute
supportedbytheusers’client-sidecertificate.Choosethisoptionifyouwantto
mapuserstorolesbasedoncertificateattributes.TheCertificateoptionisavailable
forallrealms;theCertificateattributeoptionisavailableonlyforrealmsthatuse
231
Copyright©2012,JuniperNetworks,Inc.
Chapter9:AuthenticationRealms
LDAPfortheauthenticationordirectoryserver.Afterchoosingthisoption,click
UpdatetodisplaytheAttributetextbox.
Groupmembership—GroupmembershipisgroupinformationfromanLDAPor
nativeActiveDirectoryserverthatyouaddtotheservercatalogGroupstab.Choose
thisoptionifyouwanttomapuserstorolesbasedoneitherLDAPorActiveDirectory
groupinformation.ThistypeofruleisavailableonlyforrealmsthatuseanLDAP
serverforeithertheauthenticationserverordirectoryserverorthatuseanActive
Directoryserverforauthentication.(NotethatyoucannotspecifyanActiveDirectory
serverasanauthorizationserverforarealm.)
CustomExpressions—CustomExpressionsisoneormorecustomexpressionsthat
youdefineintheservercatalog.Choosethisoptionifyouwanttomapuserstoroles
basedoncustomexpressions.Thistypeofruleisavailableforallrealms.After
choosingthisoption,clickUpdatetodisplaytheExpressionslists.Clickthe
ExpressionsbuttontodisplaytheExpressionstaboftheservercatalog.
NOTE: Ifyouaddmorethanonecustomexpressiontothesamerule,
SecureAccesscreatesan“OR”rulefortheexpressions.Forexample,
youmightaddthefollowingexpressionstoasinglerule:
Expression1:cacheCleanerStatus=1
Expression2:loginTime=(8:00AMTO5:00PM)
Basedontheseexpressions,auserwouldmatchthisruleifCache
CleanerwasrunningonhissystemORifhesignedintotheSecureAccess
devicebetween8:00and5:00.
5.
UnderRule,specifytheconditiontoevaluate,whichcorrespondstothetypeofrule
youselectandconsistsof:
a.
Specifyingoneormoreusernames,SiteMinderuserattributecookienames,RADIUS
orLDAPuserattributes,certificateattributes,LDAPgroups,orcustomexpressions.
b.
Specifyingtowhatthevalue(s)shouldequate,whichmayincludealistofSecure
Accessusernames,userattributevaluesfromaRADIUS,SiteMinder,orLDAPserver,
client-sidecertificatevalues(staticorLDAPattributevalues),LDAPgroups,or
customexpressions.
Forexample,youcanchooseaSiteMinderuserattributecookienameddepartment
fromtheAttributelist,chooseisfromtheoperatorlist,andthenenter"sales"and
"eng"inthetextbox.
Or,youcanenteracustomexpressionrulethatreferencestheSiteMinderuser
attributecookienameddepartment:
Copyright©2012,JuniperNetworks,Inc.
232
JunosPulseSecureAccessServiceAdministrationGuide
<userAttr.department=("sales"and"eng")>
6.
Under...thenassigntheseroles:
a.
SpecifytherolestoassigntotheauthenticateduserbyaddingrolestotheSelected
Roleslist.
b.
CheckStopprocessingruleswhenthisrulematchesifyouwantSecureAccess
tostopevaluatingrolemappingrulesiftheusermeetstheconditionsspecifiedfor
thisrule.
7.
ClickSaveChangestocreatetheruleontheRoleMappingtab.Whenyouarefinished
creatingrules:
MakesuretoorderrolemappingrulesintheorderinwhichyouwantSecureAccessto
evaluatethem.Thistaskisparticularlyimportantwhenyouwanttostopprocessingrole
mappingrulesuponamatch.
Related
Documentation
RoleMappingRulesonpage230
Policies,Rules&Restrictions,andConditionsOverviewonpage60
UsingtheLDAPServerCatalog
TheLDAPservercatalogisasecondarywindowthroughwhichyouspecifyadditional
LDAPinformationforSecureAccesstousewhenmappinguserstoroles,including:
Attributes—TheServerCatalogAttributestabshowsalistofcommonLDAPattributes,
suchascn,uid,uniquemember,andmemberof.Thistabisaccessibleonlywhen
accessingtheServerCatalogofanLDAPserver.Youcanusethistabtomanagean
LDAPserver’sattributesbyaddingcustomvaluestoanddeletingvaluesfromitsSecure
Accessservercatalog.NotethatSecureAccessmaintainsalocalcopyoftheLDAP
server’svalues;attributesarenotaddedtoordeletedfromyourLDAPserver’sdictionary.
Groups—TheServerCatalogGroupstabprovidesamechanismtoeasilyretrievegroup
informationfromanLDAPserverandaddittotheserver’sSecureAccessservercatalog.
YouspecifytheBaseDNofyourgroupsandoptionallyafiltertobeginthesearch.If
youdonotknowtheexactcontainerofyourgroups,youcanspecifythedomainroot
astheBaseDN,suchasdc=juniper,dc=com.Thesearchpagereturnsalistofgroups
fromyourserver,fromwhichyoucanchoosegroupstoenterintotheGroupslist.
NOTE: TheBaseDNvaluespecifiedintheLDAPserver’sconfigurationpage
under"Findinguserentries"isthedefaultBaseDNvalue.TheFiltervalue
defaultsto(cn=*).
YoucanalsousetheGroupstabtospecifygroups.YoumustspecifytheFullyQualified
DistinguishedName(FQDN)ofagroup,suchascn=GoodManagers,ou=HQ,ou=Juniper,
o=com,c=US,butyoucanassignalabelforthisgroupthatappearsintheGroupslist.
NotethatthistabisaccessibleonlywhenaccessingtheServerCatalogofanLDAP
server.
233
Copyright©2012,JuniperNetworks,Inc.
Chapter9:AuthenticationRealms
Expressions—TheServerCatalogExpressionstabprovidesamechanismtowrite
customexpressionsfortherolemappingrule.
TodisplaytheLDAPservercatalog:
AfterchoosingtheUserattributeoptionontheRoleMappingRulepage,clickUpdate
todisplaytheAttributelistandtheAttributesbutton.
ClicktheAttributesbuttontodisplaytheLDAPservercatalog.(Youcanalsoclick
GroupsafterchoosingtheGroupmembershipoption,orclickExpressionsafterchoosing
theCustomExpressionsoption.)
Figure9:ServerCatalog>AttributesTab—AddinganAttributeforLDAP
Copyright©2012,JuniperNetworks,Inc.
234
JunosPulseSecureAccessServiceAdministrationGuide
Documents you may be interested
Documents you may be interested