Configuring ESP Global Options

When you configure an ESP global option, it gets applied to all Access Gateway ESPs in an Access Gateway cluster.

By default, these options are disabled. To enable these options, you need to remove the pound (#) symbol before it and set a value. After you configure an option, you cannot delete it. However, you can disable it again by adding the pound (#) symbol before it. If you have set a value for an option and want to disable the option, you need to add # before the configured option. After saving the changes, the value for the option is set to the default value. For example, if you have set the value for CLUSTER_COOKIE_DOMAIN as CLUSTER_COOKIE_DOMAIN .example.com, add # before CLUSTER_COOKIE_DOMAIN .example.com. After the changes are applied, the option is set to the default value as #CLUSTER_COOKIE_DOMAIN.

Perform the following steps to configure ESP global options:

  1. Click Devices > Access Gateways > Edit > Reverse Proxy / Authentication > ESP Global Options.

  2. To activate an ESP global option, remove the # symbol before it, configure the value, save it, and then update Access Gateway. By default, Access Manager displays seven options. You can configure any other options also, if required.

The following table lists the default ESP global options:

ESP Global Option

Description

forceESPSLOHTTP

Set true to enable the front channel logout for Access Gateway initiated logout.

The default value is false.

For more information enabling front channel logout for Access Gateway, see Defining Options for Liberty Identity Provider.

httponlyClusterCookie

Set false to disable the HTTPOnly flags for ESP cluster cookies.

The default value is true.

CACHE_CONTROL_RESPONSE_HEADER_VALUE no-cache,no-store

To enable this option, you need to remove the pound (#) symbol before it and set a value and the server requires you to Update All. If you have set a value for an option and want to disable the option, you need to add # before the configured option and this does not require any update to the server.

Access Manager by default sets Cache-Control header on some URLs. In this scenario, this configuration will not override the default behavior.

CLUSTER_COOKIE_DOMAIN

Set this property to change the Domain attribute for the ESP custer cookie in this format: CLUSTER_COOKIE_DOMAIN .example.com

CLUSTER_COOKIE_PATH

Set this property to change the Path attribute for the ESP custer cookie.

The default value is /nesp.

notifysessionTimetoIDP

Set false to disable sending session timeout message to the remote identity provider.

The default value is true.

For example, see Configuring Liberty or SAML 2.0 Session Timeout.

RENAME_SESSIONID

Set false to prevent changing Access Gateway session ID automatically.

The default value is true.

For example, see Preventing Automatically Changing Session ID in the Securing the ESP Session Cookie on Access Gateway.

IS_DISPLAY_AUTH_DONE_PAGE

Set true to enable Access Gateway to display post-authentication message.

The default value is false.

For example, see Enabling Access Gateway to Display Post-Authentication Message.

SESSION_ASSURANCE_USER AGENT_EXCLUDE_LIST

Specify the user-agent string for that you want to disable the session validation.

For example, see Disabling Advanced Session Assurance for Access Gateway ESP.

SESSION_ASSURANCE_USER_AGENT_REGEX_EXCLUDE_LIST

Specify the user-agent REGEX for that you want to disable the session validation.

For example, see Disabling Advanced Session Assurance for Access Gateway ESP.

SESSION_ASSURANCE_URL_EXCLUDE_LIST

Specify the URL for that you want to disable the session validation.

For example, see Disabling Advanced Session Assurance for Access Gateway ESP.

SESSION_ASSURANCE_URL_REGEX_EXCLUDE_LIST

Specify the URL REGEX for that you want to disable the session validation.

For example, see Disabling Advanced Session Assurance for Access Gateway ESP.

SESSION_ASSURANCE_IDC_COOKIE_GRACEPERIOD

Specify the time in second till which Identity Server accepts the old IDC cookie, after issuing a new cookie. The default value is 15 second.

USE_DEVICE_ID_IN_URN_COOKIE

(Access Manager 5.0 Service Pack 1 and later)

In an Access Manager environment with multiple Identity Servers and Access Gateways, a cluster cookie (UrnNovellNidpClusterMemberId) is automatically set for the serving node of the cluster. When requests come to Identity Server or Embedded Service Provider (ESP), this cookie is used by all nodes of the cluster to perform the proxying, if necessary.

For higher security, enable this property to use hashing for the cookie value.

  • false: The default setting.

  • true: Enables this property for both Identity Server and ESP.

  • ESP: Enables this property for ESP.

To set up this property only for Identity Server, see USE DEVICE ID IN URN COOKIE in Configuring Identity Server Global Options.

NOTE:After configuring an ESP option, you cannot revert it to the previous configuration by clicking Revert in the Cluster Configuration page (Access Gateway > Edit > Revert).