FAQ: Using a Custom Authentication Failed IDP Rule

Sentry administrators may want to use a custom "Authentication Failed" IDP rule. If this custom rule is not to be applied to all policies, you will need to create the rule in the policy level IDP Group (for example within the REST policy IDP Group).

However,  a custom "Authentication Failed" IDP rule in a policy level IDP Group will not be triggered if the System IDP Group has an "Authentication Failed" IDP rule with an Abort IDP Action. 

Note that an "Authentication Failed" IDP rule has to exist in the System IDP Group and in any policy level IDP groups.

Essentially the workaround is to add an "Authentication Failed" IDP rule without the Abort action to the System IDP Group.  With this configuration, the required IDP rule is still there, but it does not block the message on an authentication failure.  Instead, the "Authentication Failed" IDP rule in the policy level IDP group will block the request.

The following steps can be used to implement a workaround.

1. Create a new IDP Action - Uncheck the "Abort processing.." option. You may also want to remove the "Log an Alert" option.

2. Create a custom Authentication Failed IDP rule that uses the IDP action from step 1.

3. Add the custom Authentication Failed IDP rule created in step 2 to the System IDP Group.

4. Remove the default Authentication Failed IDP rule from the System IDP Group.

0 Comments

Article is closed for comments.