Learn about the different ProxySG authentication modes, and how to utilize the correct one for your deployment.
SGOS provides policy control over the operation of the authentication subsystem through the content policy language (CPL) property authenticate.mode(). This article describes how to use authenticate.mode(), and provides guidance on when to use each mode.
There are 13 authentication modes:
To specify a particular mode for a transaction, set the authenticate.mode() property through the command line interface (CLI) or the Visual Policy Manager (VPM) in the Management Console.
Through the CLI:
ProxySG#Inline policy local eol123
Authentication modes are explained in detail in the following guides:
The following information was taken from the SGOS 6.5 Administration Guide. Please check the documentation for any updates on authentication modes.
IMPORTANT: The authenticate.mode() setting may be overridden by the SG if it knows that the client cannot support the requested mode. For example, if the client is known not to support proxy-style authentication, the ProxySG will automatically switch the mode to origin-style. Similarly, cookie surrogate credentials are downgraded to IP surrogate credentials if the client is known not to support cookies.
Rules of thumb using authentication modes:
Two concepts are key to understanding authenticate modes:
Even in the absence of surrogate credentials, once a transaction has been authenticated, transactions on the same persistent connection are also considered authenticated.
IP surrogates are recommended for deployments larger than 1,000 users; however, note the following: