How to Configure a "WebAgent-OnReject-Text" Response Attribute

Document ID : KB000009856
Last Modified Date : 14/02/2018
Show Technical Document Details

This Knowledge Base article will illustrate how to configure "WebAgent-OnReject-Text"  Response Attribute from the Adminui and how to read the returned Attribute text on the agent side.


From the Online SSO guide, the below is mentioned regarding the "WebAgent-OnReject-Text"  Response Attribute

Specifies text that the Web Agent puts in the HTTP_ONREJECT_TEXT environment variable when it redirects the user after a failed authorization or authentication attempt. Use in reject responses. Only one instance of this attribute is allowed per response.

This Knowledge Base article will provide additional details on how to configure it.

SSO 12.5, 12.51, 12.52 and 12.6

** Policy server Side

The purpose of the "WebAgent-OnReject-Text" is to return a text message to the user in case of a Unsuccessful Authentication or Authorization. To configure it, please follow the below steps 


1) Create an "Allow Access" rule with "Authentication events" and an "OnAuthReject" as an Action (This also can be used with "Authorization events" and an "OnAccessReject"

2) Link the Rule created in Step 1 to your Policy and click on "Add Response" 

3) create a new Response which contains the "WebAgent-OnReject-Text" Response Attribute

4) within the "WebAgent-OnReject-Text" Response Attribute, Choose "static" under the Attribute Kind and set a Variable Value which will carry the Text that you want to pass to the users upon Auth Reject. Save the Changes

5) Under the same Response, add another Response Attribute this time with "WebAgent-OnReject-Redirect" and set it to be redirected to the page that you want the user to be redirected to upon failed Authentication. Save the changes

Expected Behavior:

On the Policy server side, upon Failed Authentication, The OnAuthReject rule will apply and the response will fire returning attribute 228 (the Denied Test from the "WebAgent-OnReject-Text" Response Attribute) and Attribute

227 (the Denied Redirect from the "WebAgent-OnReject-Redirect" Response Attribute) with Status: Not Authenticated as shown below 


[Send response attribute 228, data size is 6]

[http://your_failed_auth_redirect_url][][][Send response attribute 227, data size is 46]

[** Status: Not Authenticated. 8009030C: LdapErr: DSID-0C0904DB, comment: AcceptSecurityContext error, data 52e, v1db1]

[CSm_Auth_Message::SendReply][Leave function CSm_Auth_Message::SendReply]


** Agent Side 

On the agent side, the agent will receive the Attributes returned above 228 and 227 and will perform the below 2 actions


1) Issue a 302 Redirect to the URL returned in attribute 227 

2) set a cookie SMTEXT which will contain the value in clear text of the returned Attribute 228 based on the static text set in the "WebAgent-OnReject-Text" Response Attribute.


The onAuthReject Redirect page can be customized to read the SMTEXT cookie and display the message to the users

Additional Information: