Host based Policy condition example for VIP AuthHub
Article ID: 371869
Updated On:
Products
VIP Authentication Hub
Issue/Introduction
We want to apply a host-based policy condition. We use 2 vanity URLs (authhub.policy1.com and authhub.policy2.net). We'd like to use a single policy which applies different rules for each URL. For example, say the (.com) URL needs MFA and the (.net) only needs a single factor.
Environment
VIP Authentication Hub 3.1.1
Resolution
Below is a sample policy that allows you to use vanity host in a policy as part of context condition.
{
"policyName": "Context policy based on host",
"description": "Description of the context policy",
"status": "active",
"matchAnyApp": true,
"rules": [
{
"conditions": {
"principal": {
"group": {
"operator": "in",
"value": [
"HR"
]
}
},
"action": {
"operator": "in",
"value": [
"authenticate"
]
},
"context": {
"operator": "expression",
"value": "( ${system.host} eq authhub.policy2.net ) "
}
},
"result": {
"effect": "allow",
"obligations": [
"PASSWORD:1"
],
"msg": "rule for .net"
}
},
{
"conditions": {
"principal": {
"group": {
"operator": "in",
"value": [
"HR"
]
}
},
"action": {
"operator": "in",
"value": [
"authenticate"
]
},
"context": {
"operator": "expression",
"value": "( ${system.host} eq authhub.policy1.com ) "
}
},
"result": {
"effect": "allow",
"obligations": [
"PASSWORD:1",
"SMSOTP:2"
],
"msg": "MFA rule for .com"
}
}
]
}Feedback
Yes
No
Powered by
