When you configure an ESP global option, it gets applied to all Access Gateway ESPs in an Access Gateway cluster.
By default, these options are disabled. To enable these options, you need to remove the pound (#) symbol before it and set a value. After you configure an option, you cannot delete it. However, you can disable it again by adding the pound (#) symbol before it. If you have set a value for an option and want to disable the option, you need to add # before the configured option. After saving the changes, the value for the option is set to the default value. For example, if you have set the value for CLUSTER_COOKIE_DOMAIN as CLUSTER_COOKIE_DOMAIN .example.com, add # before CLUSTER_COOKIE_DOMAIN .example.com. After the changes are applied, the option is set to the default value as #CLUSTER_COOKIE_DOMAIN.
Perform the following steps to configure ESP global options:
Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication > ESP Global Options.
To activate an ESP global option, remove the # symbol before it, configure the value, save it, and then update Access Gateway. By default, Access Manager displays seven options. You can configure any other options also, if required.
The following table lists the default ESP global options:
|
ESP Global Option |
Description |
|---|---|
|
forceESPSLOHTTP |
Set true to enable the front channel logout for Access Gateway initiated logout. The default value is false. For more information enabling front channel logout for Access Gateway, see Defining Options for Liberty Identity Provider. |
|
httponlyClusterCookie |
Set false to disable the HTTPOnly flags for ESP cluster cookies. The default value is true. For example, see Enabling Secure or HTTPOnly Flags for Cluster Cookies. |
|
CACHE_CONTROL_RESPONSE_HEADER_VALUE no-cache,no-store |
To enable this option, you need to remove the pound (#) symbol before it and set a value and the server requires you to Update All. If you have set a value for an option and want to disable the option, you need to add # before the configured option and this does not require any update to the server. Access Manager by default sets Cache-Control header on some URLs. In this scenario, this configuration will not override the default behavior. |
|
CLUSTER_COOKIE_DOMAIN |
Set this property to change the Domain attribute for the ESP custer cookie in this format: CLUSTER_COOKIE_DOMAIN .example.com |
|
CLUSTER_COOKIE_PATH |
Set this property to change the Path attribute for the ESP custer cookie. The default value is /nesp. |
|
notifysessionTimetoIDP |
Set false to disable sending session timeout message to the remote identity provider. The default value is true. For example, see Configuring Liberty or SAML 2.0 Session Timeout. |
|
RENAME_SESSIONID |
Set false to prevent changing Access Gateway session ID automatically. The default value is true. For example, see |
|
IS_DISPLAY_AUTH_DONE_PAGE |
Set true to enable Access Gateway to display post-authentication message. The default value is false. For example, see Enabling Access Gateway to Display Post-Authentication Message. |
|
SESSION_ASSURANCE_USER AGENT_EXCLUDE_LIST |
Specify the user-agent string for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Access Gateway ESP. |
|
SESSION_ASSURANCE_USER_AGENT_REGEX_EXCLUDE_LIST |
Specify the user-agent REGEX for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Access Gateway ESP. |
|
SESSION_ASSURANCE_URL_EXCLUDE_LIST |
Specify the URL for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Access Gateway ESP. |
|
SESSION_ASSURANCE_URL_REGEX_EXCLUDE_LIST |
Specify the URL REGEX for that you want to disable the session validation. For example, see Disabling Advanced Session Assurance for Access Gateway ESP. |
|
SESSION_ASSURANCE_IDC_COOKIE_GRACEPERIOD |
Specify the time in second till which Identity Server accepts the old IDC cookie, after issuing a new cookie. The default value is 15 second. |
|
USE_DEVICE_ID_IN_URN_COOKIE (Access Manager 5.0 Service Pack 1 and later) |
In an Access Manager environment with multiple Identity Servers and Access Gateways, a cluster cookie (UrnNovellNidpClusterMemberId) is automatically set for the serving node of the cluster. When requests come to Identity Server or Embedded Service Provider (ESP), this cookie is used by all nodes of the cluster to perform the proxying, if necessary. For higher security, enable this property to use hashing for the cookie value.
To set up this property only for Identity Server, see |
NOTE:After configuring an ESP option, you cannot revert it to the previous configuration by clicking Revert in the Cluster Configuration page (Access Gateway > Edit > Revert).