Reset Search
 

 

Article

KB25930 - Can realm selection be configured with an anonymous auth server?

« Go Back

Information

 
Last Modified Date12/12/2015 2:01 AM
Synopsis
This article provides information about the possibility of configuring realm selection with an anonymous auth server.
Problem or Goal
Scenario:

A user has multiple realms configured for a sign-in policy, one of which uses an anonymous server as the backend authentication server.

The user has to pick a realm from the realms that are configured on the portal; one of which uses an anonymous server that will use realm authentication policy to authenticate users. But when this is performed, the Unable to create new Sign-In URL: Cannot select both anonymous and non anonymous realms error message is generated.


The following image illustrates the Anonymous Auth server being successfully created:

User-added image

The following image illustrates the Anonymous authentication with Test Realm1:



The following image illustrates multiple realms being selected for the Sign-in-Policy:



The following image illustrates the Unable to create new Sign-In URL: Cannot select both anonymous and non anonymous realms error message:

Cause
Solution
The sole purpose of using an Anonymous server is to provide restriction-less access to the end user, which directly presents the user with the back end resources, without prompting the user for any authentication credentials. However, end users may be restricted via a realm/role level authentication policy, which is based on source IP/certificate/ browser/ Host Checker.

The Anonymous server feature provides anonymous authentication mechanism for resources on the PCS device, which do not require extreme security and is used to allow users to access the PCS device without providing a username or password. Instead, when a user types the URL of a sign-in page, which is configured to authenticate against an anonymous server, the PCS device bypasses the standard sign-in page and immediately displays the welcome page to the user. So, anonymous authentication server is used when access is provided to the device, without the requirement of credentials.

When given a choice between realms configured with authentication servers, which would present users with the sign-in page that require credentials, and realms configured with anonymous server, which would directly bypass the sign-in page and allow access without requesting authentication, an error message is generated; which is expected behavior.

Anonymous Server Restrictions

When defining and monitoring an anonymous server instance, Please note that:
 
  • You can only add one anonymous server configuration.
  • You cannot authenticate administrators by using an anonymous server.
  • During configuration, you must select the anonymous server as both the authentication server and the directory/attribute server in the Users > User Realms > General tab.
  • When creating role mapping rules via the Users > User Realms > Role Mapping tab, the SA device does not allow you to create mapping rules that apply to specific users (such as Joe), as the anonymous server does not collect username information. You can create role mapping rules that are only based on a default username (*), certificate attributes, or custom expressions.
  • For security reasons, you may want to limit the number of users who sign in via an anonymous server at any given time. To do this, use the option on the Users > User Realms > [Realm] > Authentication Policy > Limits tab (where [Realm] is the realm that is configured to use the anonymous server to authenticate users).
  • You cannot view and delete the sessions of anonymous users via the Users tab (as you can with other authentication servers), as the PCS device cannot display individual session data, without collecting usernames.
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255