A Forum reader recently asked:
“Is it possible to set up a protected resource to use a login page as a last resort without using an authentication contract? As I understand it, authentication contracts are always run before any policy evaluation takes place, and I wont my users to login only if they are not on certain IP subnets. I have created the IP subnet policy, but I can’t find any way to create a login page policy.”
And here is the response from Martin Day …
This can be done if you create two proxy services pointing to the same backend app – for example, wwwauth.acme.com and www. auth.com.
1. For the www. auth.com proxy service, don’t assign an authentication contract (i.e. public access) but create an authorization policy granting access to the desired subnet only.
2. Add another rule of lower priority which, instead of denying, is configured to Redirect. Make the redirect URL point to wwwauth.acme.com.
3. For wwwauth.acme.com, assign the desired authentication contract and other policies.
So, all users would access www. auth.com. If they’re on the right subnet, they get in. If not, they are transparently bounced to another name requiring authentication.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.