Authentication API Help -...

Dell™ Secure Mobile Access Authentication API Reference Guide

Copyright© 2016 Dell Inc. All rights reserved.

This product is protected by U.S. and international copyright and intellectual property laws. Dell™, SonicWALL, and the Dell logo are trademarks of Dell Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

Dell™ Secure Mobile Access Authentication API Reference GuideUpdated - April 2016Software Version - 11.4 232-003257-00 Rev A

Legend

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if instructions are not followed.

WARNING: A WARNING icon indicates a potential for property damage, personal injury, or death.

IMPORTANT NOTE, NOTE, TIP, MOBILE, or VIDEO: An information icon indicates supporting information.

OverviewThe Dell Secure Mobile Access (SMA) Authentication API is a RESTful interfaceexposed by the SMA appliance. It allows a customer to write custom code to performauthentication against the SMA appliance on behalf of end-users. This powerfulfeature has a number of uses, including:

Automatic access to a protected resource from a web portalSingle sign-on to the appliance by proprietary customer client softwareUse of non-standard authentication mechanisms to protect the appliance

Basic Workflow1. Fetch localized message catalogs. These localized strings will be needed to

display any meaningful information to an end-user.2. Fetch global configuration information. This includes the available authentication

realms as well as 'theme' information - hints about visual presentation.3. Present the available authentication realms to the end-user. Custom portals

may choose to pre-select a realm for an end-user based on informationobtained outside of the API (cached information in the browser's local datastore,the location the end-user is connecting from, etc).

4. Create a LogonID using the selected authentication realm. This is done by usingthe HTTP 'POST' method at /logon/Add. All further API requests will be made tothe path returned in the Location header (also returned in the JSON response).

5. Set client information / capabilities. This includes information about the platformthe client is running on as well as information about the user-agent that will beused to access the appliance (Can it restrict access per application? Can itsupport audio/visual CAPTCHA?).

6. Actually authenticate an end-user. This will almost certainly require multiplePOSTs to the /login/{id}/authenticate resource.

1. Initial POST will return information required to continue the authentication.This will require some sort of response from the end-user, even if that isjust clicking an 'Accept' button to accept a EULA before continuing.

2. Display prompts, gather required responses, and next action (ok, cancel,accept, decline, etc). This will typically involve converting these promptsinto an HTML form and submitting the responses using anXMLHTTPRequest object. Sample user-interface code is provided on theappliance.

3. POST responses and next action to /login/{id}/authenticate. Ifauthentication has completely failed then an HTTP error code will bereturned. If authentication has completed successfully a simple JSONobject will be returned with the single attribute 'authenticated' set to true.Otherwise another round of questions is presented and we start back overat step 6.2.

AuthenticationAPIInteractiveDocumentation

Dell Secure Mobile Access Authentication API Reference Guide

1

Post-Authentication WorkflowIn order for the appliance to authorize any connection to a backend resource, the end-user must be classified into a zone. This step must be done whether 'Advanced EPC'checks are enabled or not. Please see the AMC help on End Point Control for moreinformation.

All clients MUST continue with the interrogation process. This involves retrieving a listof questions about the current device - this can include information about firewallsettings, state of antivirus definitions, the existence of files/directories/registy entries,whether certain applications are running, etc.

Even if there are no questions returned, clients MUST POST information to/logon/{logonid}/interrogation in order for zone classification to occur. A sampleresponse would be:

{ type: 'EPC', client_info: { client_type: 'EXTRAWEB', equipmentID: 'demoEquipmentIdentifier', }, interrogation_info: responses }

There is a great deal of post-authentication configuration information. This can beused to auto-activate certain access agents (redirection rules), obtain a list of otherappliances linked to this one (alternate endpoints), or retrieve information aboutsystem/user-specific bookmarks. Please see the Post-Authentication section of/logon/{id} for details.

© 2016 Dell Inc.

Configuration

/__api__/config — Return all of the static configuration information

GETThis is a convenience URI that returns all of the static configuration information withone request instead of having to ask for realm, profile, etc separately.

Output{ "type": "object", "properties": {

AuthenticationAPIInteractiveDocumentation


2

"agents": { "description": "Data from /config/agents", "type": { "type": "object", "properties": { "CacheControl": { "description": "CacheControl version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "ConnectTunnel": { "description": "Connect Tunnel version and agent info",


3

"type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "EWPCA": { "description": "EWPCA version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": {


4

"description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "OPSWAT": { "description": "OPSWAT version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" },


5

"versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "OnDemand": { "description": "OnDemand version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string"


6

}, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "SEM": { "description": "SEM version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version",


7

"type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "Webifiers": { "description": "Webifiers version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": {


8

"description": "windows client version", "type": "string" } } } } }, "XEPC": { "description": "XEPC version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }


9

} } }, "bookmarks": { "description": "Are use bookmarks enabled?", "type": "boolean" }, "fallback": { "description": "Data from /config/fallback", "type": { "type": "array", "items": { "type": "object", "properties": { "address": { "description": "The hostname or IP address of the fallback server.", "type": "string" }, "realmName": { "description": "The realm name to authenticate against when using the fallback server.", "type": "string" } } } } }, "profile": { "description": "Data from /config/profile", "type": { "type": "object", "properties": { "hostName": { "description": "The canonical hostname", "type": "string" }, "startPage": { "description": "The default resource to load after authentication", "type": "string" }, "theme": { "description": "Display theme to use", "type": "object", "properties": { "color": { "description": "The normal color in the theme", "type": "string" }, "darkColor": { "description": "The 'dark' color in the theme", "type": "string"


10

}, "enableSmallDeviceWelcome": { "description": "Unknown", "type": "boolean" }, "font": { "description": "Font for main text", "type": "string" }, "header": { "description": "Header to place at top of screen", "type": "string" }, "helpFilename": { "description": "Where to load help pages from", "type": "string" }, "lightColor": { "description": "The 'light' color in the theme", "type": "string" }, "logoFilename": { "description": "Logo to place in the header", "type": "string" }, "smallLogoFilename": { "description": "Logo to use on small displays", "type": "string" }, "textColor": { "description": "Color for main text", "type": "string" }, "welcome": { "description": "Welcome text to show in workplace page", "type": "string" } } }, "wpLiteHint": { "description": "Longer description when asking for workplace lite mode", "type": "string" }, "wpLiteLabel": { "description": "Label for checkbox when asking for workplace lite mode", "type": "string" }, "wpLiteMode": { "description": "Bitmask of workplace lite options", "type": "integer" }


11

} } }, "realms": { "description": "Data from /config/realms", "type": { "type": "array", "items": { "type": "object", "properties": { "is_default": { "description": "Is this the default realm?", "type": "boolean" }, "method": { "description": "Unique identifier of the realm", "type": "integer" }, "name": { "description": "Description of the realm when displayed to the user", "type": "string" } } } } } }}

/__api__/config/agents — Return information about agents thatcould be deployed

GETReturn information about all available access agents.

Output{ "type": "object", "properties": { "CacheControl": { "description": "CacheControl version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment",


12

"type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "ConnectTunnel": { "description": "Connect Tunnel version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": {


13

"description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "EWPCA": { "description": "EWPCA version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" },


14

"linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "OPSWAT": { "description": "OPSWAT version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string"


15

}, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "OnDemand": { "description": "OnDemand version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version",


16

"type": "string" } } } } }, "SEM": { "description": "SEM version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "Webifiers": {


17

"description": "Webifiers version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } }, "XEPC": { "description": "XEPC version and agent info", "type": "object", "properties": { "agentName": { "description": "Name of the deployable agent", "type": "string" },


18

"deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } } } }}

/__api__/config/agents/<string:name> — Return information aboutspecific agents that could be deployed

GETReturn information about NAME agent.



19

"agentName": { "description": "Name of the deployable agent", "type": "string" }, "deploymentURL": { "description": "URL for deployment", "type": "string" }, "type": { "description": "What type of agent this is", "type": "string" }, "versions": { "description": "client version info", "type": "object", "properties": { "darwin": { "description": "darwin client version", "type": "string" }, "linux": { "description": "linux client version", "type": "string" }, "linux64": { "description": "linux64 client version", "type": "string" }, "linuxlegacy": { "description": "linuxlegacy client version", "type": "string" }, "windows": { "description": "windows client version", "type": "string" } } } }}

/__api__/config/fallback — Get the list of configured fallbackservers.

GETYou can set up one or more fallback servers for Connect Tunnel users to access inthe event that the primary appliance becomes unavailable (for example, due to aplanned outage or a natural disaster).

This information should be cached by a client and used if this server is not available


20

for any reason.

Output{ "type": "array", "items": { "type": "object", "properties": { "address": { "description": "The hostname or IP address of the fallback server.", "type": "string" }, "realmName": { "description": "The realm name to authenticate against when using the fallback server.", "type": "string" } } }}

/__api__/config/profile — Get theming information

GETGet information about theme ID. If no ID is specified then look at headers in therequest to determine the most appropriate theme.

Output{ "type": "object", "properties": { "hostName": { "description": "The canonical hostname", "type": "string" }, "startPage": { "description": "The default resource to load after authentication", "type": "string" }, "theme": { "description": "Display theme to use", "type": "object", "properties": { "color": { "description": "The normal color in the theme", "type": "string" }, "darkColor": { "description": "The 'dark' color in the theme",


21

"type": "string" }, "enableSmallDeviceWelcome": { "description": "Unknown", "type": "boolean" }, "font": { "description": "Font for main text", "type": "string" }, "header": { "description": "Header to place at top of screen", "type": "string" }, "helpFilename": { "description": "Where to load help pages from", "type": "string" }, "lightColor": { "description": "The 'light' color in the theme", "type": "string" }, "logoFilename": { "description": "Logo to place in the header", "type": "string" }, "smallLogoFilename": { "description": "Logo to use on small displays", "type": "string" }, "textColor": { "description": "Color for main text", "type": "string" }, "welcome": { "description": "Welcome text to show in workplace page", "type": "string" } } }, "wpLiteHint": { "description": "Longer description when asking for workplace lite mode", "type": "string" }, "wpLiteLabel": { "description": "Label for checkbox when asking for workplace lite mode", "type": "string" }, "wpLiteMode": { "description": "Bitmask of workplace lite options", "type": "integer"


22

} }}

/__api__/config/realms — Get information about the configuredauthentication realms.

GETReturns a list of the configured authentication realms.

If realms on the appliance are configured, but marked as 'do not display' then they willnot appear in this list. Instead a placeholder will appear at the end with the emptystring for a name and a method of 0. This is a cue to the API consumer to allow theend user to directly enter a realm name instead of choosing from a dropdown.

Output{ "type": "array", "items": { "type": "object", "properties": { "is_default": { "description": "Is this the default realm?", "type": "boolean" }, "method": { "description": "Unique identifier of the realm", "type": "integer" }, "name": { "description": "Description of the realm when displayed to the user", "type": "string" } } }}

/__api__/messages — Access catalogs of strings meant for displayto end-users in their native language.

GETReturn a hashtable of string identifiers and localized strings appropriate for*language*. If *language* is not specified it will return the most appropriate matchbased on the 'Accept-Language' header that the browser sent in the request.

Output{ "type": "object",


23

"properties": "Arbitrary key/value entries"}

/__api__/messages/<string:language> — Access catalogs ofstrings meant for display to end-users in their native language.

GETReturn a hashtable of string identifiers and localized strings appropriate for*language*. If *language* is not specified it will return the most appropriate matchbased on the 'Accept-Language' header that the browser sent in the request.

Output{ "type": "object", "properties": "Arbitrary key/value entries"}

Authentication

/__api__/logon — Authenticate a user against the appliance.

GETCreate a new logonid, using a GET request. Parameters must be passed in the querystring.

See POST for details on the inputs/outputs.

Input{ "type": "object", "properties": { "method": { "description": "Realm identifier as an integer. Specify when a realm has been chosen from the output of /config/realms.", "type": "integer" }, "name": { "description": "Realm identifier as a string. Specify when a realm name has been manually entered.", "type": "string" } }}



24

"location": { "description": "The new logonid's location. When authenticating with client certificates this will be a URL to redirect to for triggering the SSL renegotiation.", "type": "string" }, "logonid": { "description": "The new logonid, with no decoration. Once fully authenticated, this can be used to establish a tunnel or an ExtraWeb session.", "type": "string" }, "subauthenticate": { "description": "Do we need to actually authenticate?", "type": "boolean" } }}

POSTCreate a new logonid. A logonid is an opaque identifier that is needed for all othernon-configuration API calls.

A new logonid will be created, ready to authenticate against the realm specified in theNAME or METHOD parameter.


Output{ "type": "object", "properties": { "location": { "description": "The new logonid's location. When authenticating with client certificates this will be a URL to redirect to for triggering the SSL renegotiation.", "type": "string" },


25

"logonid": { "description": "The new logonid, with no decoration. Once fully authenticated, this can be used to establish a tunnel or an ExtraWeb session.", "type": "string" }, "subauthenticate": { "description": "Do we need to actually authenticate?", "type": "boolean" } }}

/__api__/logon/<logonid:id> — Access details about a logonid

DELETEDestroy the logonid specificed in the URI.

This should be called after all authentication/interrogation steps have been completed.This immediately frees all resources associated with the logonid and invalidates theuser session.

/__api__/logon/<logonid:id>/authenticate — Authenticate the user

POSTCalled to actually complete the authentication of a user. This will need to be calledrepeatedly until you successfully authenticate or receive an error response.

When calling for the first time, no arguments are required. But if they are providedBUTTON should be 'ok' and REPLIES should be the empty list.

On subsequent calls BUTTON should be an action that the user chose to take, andREPLIES is a list of strings -- the answers to the previous round of questions asked bythe authentication server.

Valid inbound values for BUTTON are:

ok :A normal response from the end-user, authentication should proceed.

cancel :Authentication is being abandoned because the user chose to cancel it.

failed :Could not ask the end-user the questions (client error). Authentication isbeing abandoned.

continue :End-user chose to continue past a warning.

accept :End-user has accepted a choice.

decline :End-user has declined a choice.

change :


26

End-user wishes to change their password.

If authentication has completely failed then an HTTP 404 error page will be returned.

If authentication succeeds, the response will contain on object with the single'authenticated' property with a value of 'true'.

If authentication has not completed then an object describing a dialog to show to theuser will be returned.

An authentication dialog has three main parts.

1 - Fields

This is a list of questions to ask the end-user. Each field includes a prompt, a defaultvalue (possibly empty), and a list of attributes about the information being requested.The attributes are:

text :A piece of text is required. A normal text entry widget should be used.

password :A password is required. An obfuscated text entry widget should be used.

check :A boolean value is required. A checkbox widget should be used.

default :The focus should be on this field by default.

disabled :The input field should be disabled (unable to receive focus)

file :The contents of a file is required. A file selector widget should be used.

double :This field is part of a pair of entry fields that MUST match before theresponses are submitted. Typically used for changing of passwords.

hidden :The field should not be displayed to the user - no input from the user isrequired or allowed. The default value should be returned.

url :The default value contains a URL that should be displayed to continue theauthentication process. This is used during SAML authentication to redirectthe end-user to the primary SAML provider.

error :Field or message is in error, display as such.

token :The PROMPT is a token used to look up a localized string. SeeLOCALIZATION below.

required :A non-empty value is required before the responses can be submitted.

is-username :The field represents a username. Can be used by clients to auto-answerquestions with cached username/passwords.

is-password :


27

The field represents a password. Can be used by clients to auto-answerquestions with cached username/passwords.

image :The default value is a PNG image to be displayed to the user as aCAPTCHA image. The value returned should be the obfuscated textcontained in the image.

2 - Messages

This is a list of (possibly localized) prompts and associated type information. The 'type'attribute of each message is a list of attributes about that message. The attributes are:

error :Field or message is in error, display as such.

token :The PROMPT is a token used to look up a localized string. SeeLOCALIZATION below.

3 - Framing

The rest of the information is visual presentation about how the authentication canproceed.

3.1 Buttons

This is a list of strings representing how the end-user can continue the authenticationprocess.

ok :Present on nearly all authentication dialogs. The end-user should bepresented with an 'I would like to keep going' option. Typically an 'Ok'button.

cancel :Authentication attempt may be canceled by the end-user. Typically a'Cancel' button.

transient :Display the information to the end-user, but dismiss it without user-interaction after an appropriate delay. This is typically seen when using aRADIUS authentication server and a status message is shown.

continue :End-user wishes to continue the authentication after a warning. This istypically seen when passwords are nearing expiration and may be changed.This would indicate that the end-user wishes to continue *without* changingtheir password.

accept :decline :

The end-user should be presented with an accept/decline choice. This istypically seen when presenting a EULA or when doing personal deviceregistration. This choice will most likely be logged and remembered by theappliance so that the question can be skipped during subsequentauthentication attempts.


28

primary :When using stacked authentication servers, this is present when asking forthe primary set of authentication credentials. Clients may choose to presentthis information differently, or use different caching rules.

3.2 Title

A potentially localized string -- this is generally a short description suitable for use in aheader/title bar.

3.3 Type

Information about the title. The only option that makes sense in this context is whetherit is a token or not.

token :The TITLE is a token used to look up a localized string. SeeLOCALIZATION below.

Localization

The default for any message here is to be a generic token that is looked up in themessage catalogs (see message catalogs for more information). If 'token' is missingfrom the list of attributes then it is NOT a localized string and should just be usedunmodified.

When 'token' is present the string is either a single token (no spaces) in which case itshould be looked up in the appropriate message catalog and used directly.

If there are multiple space-separated tokens then it is of the form: IDS_aaa_bbb arg1arg2 arg3 [IDS_xxx_yyy]

The first token when localized will have C-style sprintf() escapes in it. The othertokens are the arguments to pass to sprintf(). The last token MAY be anotherIDS_xxx_yyy token. Pseudocode for handling this would be:

format_string = lookup-token(tokens.pop(0)) if tokens[-1].startsWith('IDS_'):trailing_string = lookup-token(tokens.pop()) displayable_string =sprintf(format_string,args...) displayable_string += ' ' + trailing_string

Input{ "type": "object", "properties": { "button": { "description": "Choice the user made when sending the replies.", "type": "string", "enum": [ "accept", "cancel",


29

"change", "continue", "decline", "failed", "ok" ] }, "replies": { "description": "Replies to previous authentication prompts.", "type": "string" } }}

Output{ "type": "object", "properties": { "buttons": { "description": "A list of strings representing how the authentication process can proceed.", "type": "bitmask", "items": [ "ok", "cancel", "failed", "transient", "continue", "primary", "change", "accept", "decline" ] }, "fields": { "description": "A list of information needed to finish authenticating.", "type": "array", "items": { "type": "object", "properties": { "prompt": { "description": "Localized message token", "type": "string" }, "text": { "description": "Default value for this field", "type": "string" }, "type": { "description": "Set of attributes about this field.",


30

"type": "bitmask", "items": [ "text", "password", "checkbox", "select-one", "select-multiple", "select", "default", "disabled", "file", "double", "hidden", "url", "error", "token", "required", "is-username", "is-password", "image" ] } } } }, "messages": { "description": "A list of messages with information about the state of the authentication process. May contain error messages, or instructions for the end user.", "type": "array", "items": { "type": "object", "properties": { "prompt": { "description": "Localized message token", "type": "string" }, "type": { "description": "Set of attributes about this message.", "type": "bitmask", "items": [ "text", "password", "checkbox", "select-one", "select-multiple", "select", "default", "disabled", "file", "double",


31

"hidden", "url", "error", "token", "required", "is-username", "is-password", "image" ] } } } }, "title": { "description": "Localized message token. Short description suitable for use in a header/title bar.", "type": "string" }, "type": { "description": "Set of attributes about the title.", "type": "bitmask", "items": [ "text", "password", "checkbox", "select-one", "select-multiple", "select", "default", "disabled", "file", "double", "hidden", "url", "error", "token", "required", "is-username", "is-password", "image" ] } }}

/__api__/logon/Add — Create logonids

GETCreate a new logonid, using a GET request. Parameters must be passed in the querystring.


32

See POST for details on the inputs/outputs.


Output{ "type": "object", "properties": { "location": { "description": "The new logonid's location. When authenticating with client certificates this will be a URL to redirect to for triggering the SSL renegotiation.", "type": "string" }, "logonid": { "description": "The new logonid, with no decoration. Once fully authenticated, this can be used to establish a tunnel or an ExtraWeb session.", "type": "string" }, "subauthenticate": { "description": "Do we need to actually authenticate?", "type": "boolean" } }}

POSTCreate a new logonid. A logonid is an opaque identifier that is needed for all othernon-configuration API calls.

A new logonid will be created, ready to authenticate against the realm specified in theNAME or METHOD parameter.

Input{


33

"type": "object", "properties": { "method": { "description": "Realm identifier as an integer. Specify when a realm has been chosen from the output of /config/realms.", "type": "integer" }, "name": { "description": "Realm identifier as a string. Specify when a realm name has been manually entered.", "type": "string" } }}

Output{ "type": "object", "properties": { "location": { "description": "The new logonid's location. When authenticating with client certificates this will be a URL to redirect to for triggering the SSL renegotiation.", "type": "string" }, "logonid": { "description": "The new logonid, with no decoration. Once fully authenticated, this can be used to establish a tunnel or an ExtraWeb session.", "type": "string" }, "subauthenticate": { "description": "Do we need to actually authenticate?", "type": "boolean" } }}

Post-Authentication

/__api__/logon/<logonid:id>/applications — Return a list ofapplications that are authorized to use the tunnel.

GETReturn a list of applications that are authorized to use the tunnel.

Access to this resource requires a fully authenticated logonid.

Output{ "type": "array",


34

"items": { "type": "object", "properties": { "allowAnyVersion": { "description": "If allow any version", "type": "boolean" }, "app_name": { "description": "Application name", "type": "string" }, "applicationId": { "description": "Application ID", "type": "string" }, "comment": { "description": "Comments", "type": "string" } } }}

/__api__/logon/<logonid:id>/bookmarks — Get a list of thebookmarks that an authenticated user has access to.

GETReturn an object with a list of bookmarks configured by the administrator and user-defined bookmarks.


Output{ "type": "object", "properties": { "system": { "description": "System defined bookmarks", "type": "array", "items": { "type": "object", "properties": { "RDPServerFarmHost": { "description": "List of hosts in an RDP server farm", "type": "array", "items": { "type": "string" } },


35

"description": { "description": "Longer description of the bookmark", "type": "string" }, "title": { "description": "Short description of the bookmark (link text)", "type": "string" }, "url": { "description": "The saved URL", "type": "string" } } } }, "user": { "description": "User defined bookmarks", "type": "array", "items": { "type": "object", "properties": { "RDPServerFarmHost": { "description": "List of hosts in an RDP server farm", "type": "array", "items": { "type": "string" } }, "description": { "description": "Longer description of the bookmark", "type": "string" }, "title": { "description": "Short description of the bookmark (link text)", "type": "string" }, "url": { "description": "The saved URL", "type": "string" } } } } }}

/__api__/logon/<logonid:id>/bookmarks/<string:bookmark> —None

DELETE


36

Delete a specific bookmark.


Access to this resource requires personal bookmarks to be configured in AMC.

GETReturn information about a specific bookmark.



Output{ "type": "object", "properties": { "RDPServerFarmHost": { "description": "List of hosts in an RDP server farm", "type": "array", "items": { "type": "string" } }, "description": { "description": "Longer description of the bookmark", "type": "string" }, "title": { "description": "Short description of the bookmark (link text)", "type": "string" }, "url": { "description": "The saved URL", "type": "string" } }}

PATCHModify a bookmark



Input{ "type": "object", "properties": {


37

"RDPServerFarmHost": { "description": "List of hosts in an RDP server farm", "type": "array", "items": { "type": "string" } }, "description": { "description": "Longer description of the bookmark", "type": "string" }, "title": { "description": "Short description of the bookmark (link text)", "type": "string" }, "url": { "description": "The saved URL", "type": "string" } }}

PUTModify a bookmark.



Input{ "type": "object", "properties": { "RDPServerFarmHost": { "description": "List of hosts in an RDP server farm", "type": "array", "items": { "type": "string" } }, "description": { "description": "Longer description of the bookmark", "type": "string" }, "title": { "description": "Short description of the bookmark (link text)", "type": "string" }, "url": { "description": "The saved URL",


38

"type": "string" } }}

/__api__/logon/<logonid:id>/bookmarks/Add — Add a new user-defined bookmark

POSTAdd a new bookmark.



Input{ "type": "object", "properties": { "RDPServerFarmHost": { "description": "List of hosts in an RDP server farm", "type": "array", "items": { "type": "string" } }, "description": { "description": "Longer description of the bookmark", "type": "string" }, "position": { "description": "Position for the newly created bookmark. If not present (or <= 0) then the bookmark is appended to the end of the list.", "type": "integer" }, "title": { "description": "Short description of the bookmark (link text)", "type": "string" }, "url": { "description": "The saved URL", "type": "string" } }}



39

"properties": { "location": { "description": "Location of the newly created bookmark.", "type": "string" } }}

/__api__/logon/<logonid:id>/branding — Custom and defaultbranding information for Connect Tunnel clients.

/__api__/logon/<logonid:id>/branding/<string:kind> — Custom anddefault branding information for Connect Tunnel clients.

GETReturn branding information for Connect Tunnel clients.

KIND is either 'default' or 'custom'.

Default will return the default branding resources supplied with the currently installedfirmware.

Custom will return the branding resources supplied by the system administrator.

If no PATH information is given then a ZIP file of all the resources will be downloaded.Otherwise just the individual file is retrieved.


/__api__/logon/<logonid:id>/branding/<string:kind>/<path:path> —Return individual files from a branding file

GETReturn branding information for Connect Tunnel clients.

KIND is either 'default' or 'custom'.

Default will return the default branding resources supplied with the currently installedfirmware.

Custom will return the branding resources supplied by the system administrator.

If no PATH information is given then a ZIP file of all the resources will be downloaded.Otherwise just the individual file is retrieved.


/__api__/logon/<logonid:id>/destroyOtherSessions — Manage usersessions


40

POSTDelete other user sessions


/__api__/logon/<logonid:id>/endpoints — Return a list of endpointsyou can create a tunnel with.

GETReturns a list of the configured tunnel connection endpoints. This is an alternate list ofservers and realms that are not identical, but that are relevant to the currentlyauthenticated user.


Output{ "type": "array", "items": { "type": "object", "properties": { "appliance": { "description": "Hostname of the appliance to connect to", "type": "string" }, "displayNotifications": { "description": "Should notifications be displayed when this custom connection is used.", "type": "boolean" }, "promptForReconnect": { "description": "Should the user be prompted to reconnect to this custom connection if disconnected", "type": "boolean" }, "realmName": { "description": "Specify a realm that users will log in to when they use this custom connection.", "type": "string" }, "title": { "description": "The connection name can be any descriptive name.", "type": "string" } } }}


41

/__api__/logon/<logonid:id>/license — Manage a logonid's licensestate

GETGet the current license state.

Output{ "type": "object", "properties": { "licensed": { "description": "Are we currently consuming a license?", "type": "boolean" } }}

POSTManually manage a logonid's license state.

If RELEASE is true we will release the license currently held by this logonid. If thereare any connections currently active the call will fail unlessDESTROY_CONNECTIONS is also specified.


Input{ "type": "object", "properties": { "destroy_connections": { "description": "Should we destroy all connections related to this logonid?", "type": "boolean" }, "release": { "description": "Should we release any license we currently hold?", "type": "boolean" } }}

Output{ "type": "object", "properties": { "status": { "description": "Was the operation successful?", "type": "boolean"


42

} }}

/__api__/logon/<logonid:id>/redirection — Get the list of redirectionrules for an authenticated connection.

GETReturn the list of redirection rules for an access type.

ID is the logon-id to use for filtering the rule list.

MODE is the access type you care about -- 'all', 'web', or 'tunnel'.

Example of each type of resource that can be returned:HOSTNAME_URL=host.domain.com HOSTNAME=host.domain.comSUBNET=1.2.3.4,255.255.255.0 RANGE=1.2.3.4-1.2.3.100 DOMAIN=*.domain.com

All may be prefixed with EXCLUDE_ to specify that that resource should not beredirected through the tunnel or extraweb.


Input{ "type": "object", "properties": { "mode": { "description": "Which redirection list to return", "type": "string", "enum": [ "all", "extraweb", "tunnel", "web" ] } }}

Output{ "type": "array", "items": { "type": "string" }}

/__api__/logon/<logonid:id>/redirection/<string:mode> — Get the


43

list of redirection rules for an authenticated connection.

GETReturn the list of redirection rules for an access type.

ID is the logon-id to use for filtering the rule list.

MODE is the access type you care about -- 'all', 'web', or 'tunnel'.

Example of each type of resource that can be returned:HOSTNAME_URL=host.domain.com HOSTNAME=host.domain.comSUBNET=1.2.3.4,255.255.255.0 RANGE=1.2.3.4-1.2.3.100 DOMAIN=*.domain.com

All may be prefixed with EXCLUDE_ to specify that that resource should not beredirected through the tunnel or extraweb.


Input{ "type": "object", "properties": { "mode": { "description": "Which redirection list to return", "type": "string", "enum": [ "all", "extraweb", "tunnel", "web" ] } }}

Output{ "type": "array", "items": { "type": "string" }}

/__api__/logon/<logonid:id>/state — Query connection relatedconfiguration

GETRetrieve information about the logonid in the URI.


44

May specify an individual piece of state in the INFO portion of the URL. If INFO is notspecified then all state information is returned.

To request multiple pieces of information you may ask for them in the query string byrepeating the 'info' parameter. ie:

--> /logon/{id}/state?info=zoneType&info=autoCredentialLogon

Will return only the zoneType and autoCredentialLogon attributes.

Valid inbound values for INFO are:

autoCredentialLogon :Whether a client should be allowed to cache the user credentails to allowlogging in without user interaction in the future. Valid values are:

always :Client should always cache the credentials.

never :Client must never cache the credentials, user should not beallowed to override.

optional :Client may cache the credentials - user should be allowed tochoose.

dataPrivacyWarning :If a user has classified into zone that requires device registration, this is astring that outlines the terms and conditions of use that the user must agreeto before their device is allowed to access the network.

secureNetworkDetection :Information about secure network detection settings. Some clients candetect when the user is located on a non-secure network and automaticallyestablish a tunnel connection.

enabled :Whether secure network detection is enabled.

dnsServers :A list of DNS servers that must all be present in a machine's DNSconfiguration in order to be considered already connected to asecure network.

dnsSearchDomains :A list of DNS search domains that must all be present in amachine's DNS configuration in order to be considered alreadyconnected to a secure network.

zoneType :What type of zone the user has been classified into. This information can beshown to the user in an 'about this connection' dialog.

allow :A zone that allows normal access to VPN resources.


45

deny :A zone that disallows all access to VPN resources.

application-access :A zone that allows access only to specific applications.

remediate :A zone that disallows all access to VPN resources, but does allowaccess to resources that can be used to fix the underlyingproblem (ie: allows access to virus definition updates if the userwas classified into this zone because their definitions were too farout of date).


Input{ "type": "object", "properties": { "info": { "description": "Specific state information to return. May be specified multiple times.", "type": "string", "enum": [ "autoCredentialLogon", "dataPrivacyWarning", "secureNetworkDetection", "showDataPrivacyWarning", "zoneType" ] } }}

Output{ "type": "object", "properties": { "autoCredentialLogon": { "description": "Should the client be allowed to cache the user credentials so that it can log in without user interaction in the future?", "type": "string", "enum": [ "always", "never", "optional" ] }, "secureNetworkDetection": { "description": "Settings for secure network detection", "type": "object", "properties": {


46

"dnsServers": { "description": "DNS servers to be used during secure network detection.", "type": "array", "items": { "type": "string" } }, "enabled": { "description": "Is secure networking detection enabled?", "type": "boolean" }, "searchDomains": { "description": "List of search domains to be used during secure network detection.", "type": "array", "items": { "type": "string" } } } }, "showDataPrivacyWarning": { "description": "Show data privacy warning or not", "type": "boolean" }, "zoneType": { "description": "What type of zone the user has been classified into. Clients should make this information available to the end-user in some way.", "type": "string", "enum": [ "allow", "application-access", "deny", "remediate" ] } }}

/__api__/logon/<logonid:id>/state/<string:info> — Informationabout the logonid in the URI

GETRetrieve information about the logonid in the URI.

May specify an individual piece of state in the INFO portion of the URL. If INFO is notspecified then all state information is returned.

To request multiple pieces of information you may ask for them in the query string byrepeating the 'info' parameter. ie:


47

--> /logon/{id}/state?info=zoneType&info=autoCredentialLogon

Will return only the zoneType and autoCredentialLogon attributes.

Valid inbound values for INFO are:

autoCredentialLogon :Whether a client should be allowed to cache the user credentails to allowlogging in without user interaction in the future. Valid values are:

always :Client should always cache the credentials.

never :Client must never cache the credentials, user should not beallowed to override.

optional :Client may cache the credentials - user should be allowed tochoose.

dataPrivacyWarning :If a user has classified into zone that requires device registration, this is astring that outlines the terms and conditions of use that the user must agreeto before their device is allowed to access the network.

secureNetworkDetection :Information about secure network detection settings. Some clients candetect when the user is located on a non-secure network and automaticallyestablish a tunnel connection.

enabled :Whether secure network detection is enabled.

dnsServers :A list of DNS servers that must all be present in a machine's DNSconfiguration in order to be considered already connected to asecure network.

dnsSearchDomains :A list of DNS search domains that must all be present in amachine's DNS configuration in order to be considered alreadyconnected to a secure network.

zoneType :What type of zone the user has been classified into. This information can beshown to the user in an 'about this connection' dialog.

allow :A zone that allows normal access to VPN resources.

deny :A zone that disallows all access to VPN resources.

application-access :A zone that allows access only to specific applications.

remediate :A zone that disallows all access to VPN resources, but does allow


48

access to resources that can be used to fix the underlyingproblem (ie: allows access to virus definition updates if the userwas classified into this zone because their definitions were too farout of date).


Input{ "type": "object", "properties": { "info": { "description": "Specific state information to return. May be specified multiple times.", "type": "string", "enum": [ "autoCredentialLogon", "dataPrivacyWarning", "secureNetworkDetection", "showDataPrivacyWarning", "zoneType" ] } }}

Output{ "type": "object", "properties": { "autoCredentialLogon": { "description": "Should the client be allowed to cache the user credentials so that it can log in without user interaction in the future?", "type": "string", "enum": [ "always", "never", "optional" ] }, "secureNetworkDetection": { "description": "Settings for secure network detection", "type": "object", "properties": { "dnsServers": { "description": "DNS servers to be used during secure network detection.", "type": "array", "items": { "type": "string" }


49

}, "enabled": { "description": "Is secure networking detection enabled?", "type": "boolean" }, "searchDomains": { "description": "List of search domains to be used during secure network detection.", "type": "array", "items": { "type": "string" } } } }, "showDataPrivacyWarning": { "description": "Show data privacy warning or not", "type": "boolean" }, "zoneType": { "description": "What type of zone the user has been classified into. Clients should make this information available to the end-user in some way.", "type": "string", "enum": [ "allow", "application-access", "deny", "remediate" ] } }}

Interrogation

/__api__/logon/<logonid:id>/agentinfo — Get and set the 'micro-interrogation' results - this is information about the capabilities ofthe client using this API. Platform and processor information, UIcapabilities, etc.

GETReturn a list of information about the agent that the server would like to know. This isan object where the attributes are the names to be returned in a POST, and thevalues are the type of value it expects (currently limited to 'string' or 'boolean' returnvalues).



50

"properties": { "android": { "description": "Is the client running on Android?", "type": "boolean" }, "applicationAccessSupported": { "description": "Is application access control supported?", "type": "boolean" }, "captchaCapable": { "description": "Is CAPTCHA (image only) supported?", "type": "boolean" }, "chromeos": { "description": "Is the client running on ChromeOS?", "type": "boolean" }, "ios": { "description": "Is the client running on iOS?", "type": "boolean" }, "linux": { "description": "Is the client running on Linux?", "type": "boolean" }, "mac": { "description": "Is the client running on MacOS?", "type": "boolean" }, "mobileConnect": { "description": "Is the client Mobile Connect?", "type": "boolean" }, "osxlion": { "description": "Is the client running on MacOS X Lion?", "type": "boolean" }, "pda": { "description": "Is this a PDA device (tablet, etc)?", "type": "boolean" }, "platform": { "description": "Human readable description of the operating system.", "type": "string" }, "userAgent": { "description": "Version information about the client.", "type": "string" }, "userLocale": { "description": "Language locale of the client.",


51

"type": "string" }, "win": { "description": "Is the client running on Windows?", "type": "boolean" }, "x64": { "description": "Is the client running on a 64-bit OS?", "type": "boolean" } }}

POSTSet information about the current user-agent. This data is ADDED to the currentinformation about the client - to remove a value you must pass it's value as 'null'.

Input{ "type": "object", "properties": { "android": { "description": "Is the client running on Android?", "type": "boolean" }, "applicationAccessSupported": { "description": "Is application access control supported?", "type": "boolean" }, "captchaCapable": { "description": "Is CAPTCHA (image only) supported?", "type": "boolean" }, "chromeos": { "description": "Is the client running on ChromeOS?", "type": "boolean" }, "ios": { "description": "Is the client running on iOS?", "type": "boolean" }, "linux": { "description": "Is the client running on Linux?", "type": "boolean" }, "mac": { "description": "Is the client running on MacOS?", "type": "boolean" }, "mobileConnect": {


52

"description": "Is the client Mobile Connect?", "type": "boolean" }, "osxlion": { "description": "Is the client running on MacOS X Lion?", "type": "boolean" }, "pda": { "description": "Is this a PDA device (tablet, etc)?", "type": "boolean" }, "platform": { "description": "Human readable description of the operating system.", "type": "string" }, "userAgent": { "description": "Version information about the client.", "type": "string" }, "userLocale": { "description": "Language locale of the client.", "type": "string" }, "win": { "description": "Is the client running on Windows?", "type": "boolean" }, "x64": { "description": "Is the client running on a 64-bit OS?", "type": "boolean" } }}

/__api__/logon/<logonid:id>/agents — Get the installation URL ofeach agents.

GETList all the agent package and file used for interrogaiton.


Output{ "type": "object", "properties": { "agentName": { "description": "Human readable name of the agent.", "type": "string"


53

}, "deploymentURL": { "description": "URL to load to deploy the agent.", "type": "string" }, "type": { "description": "The type of agent", "type": "string", "enum": [ "Access", "DataProtection" ] }, "version": { "description": "Version number of the agent.", "type": "string" } }}

POSTSet agent installation results, tell appliance which one has been successfully installed.Note: Appliance only care about PCA, NGC, OnDemand installation result.


Input{ "type": "object", "properties": { "NGC": { "description": "Was the tunnel agent installed successfully?", "type": "boolean" }, "OnDemand": { "description": "Was the OnDemand Tunnel agent installed successfully?", "type": "boolean" }, "PCA": { "description": "Was the EWPCA agent installed successfully?", "type": "boolean" } }}

/__api__/logon/<logonid:id>/interrogation — Get/Set theinterrogation info for a logon user. This information is used fordoing EPC interrgogation.


54

GETGet interrogation information, and related OPSWAT's installation URL.


Output{ "type": "object", "properties": { "dependence_file": { "description": "", "type": "object", "properties": { "interrogation_file": { "description": "A bunch of files which need by interrogation", "type": "array", "items": { "type": "object", "properties": { "file": { "description": "A URI of opswat depend lib file", "type": "string" }, "type": { "description": "The type of the interrogator", "type": "string", "enum": [ "OPSWATAS", "OPSWATAV", "OPSWATPFW" ] } } } }, "opswat_agent": { "description": "A installation URI of opswat agent", "type": "string" } } }, "zone_interrogation_list": { "description": "A list of interrogation rule", "type": "array", "items": { "type": "object", "properties": { "id": { "description": "Reference ID of the interrogation rule", "type": "string"


55

}, "key": { "description": "Interrogator type", "type": "string", "enum": [ "CERTIFICATE", "OPSWATAS", "OPSWATAV", "OPSWATPFW", "PROCESS", "REGISTER" ] }, "values": { "description": "The interrogation rule of this Reference ID", "type": "string" } } } } }}

PATCHUpdate EPC information after a previous interrogation result has been submitted.

Currently this is only used when personal device authorization is enabled, and setswhether the user has agreed to the data privacy warning configured by theadministrator.


Input{ "type": "object", "properties": { "registerDeviceResult": { "description": "Has the user agreed to the restrictions about using a personal device?", "type": "boolean" } }}

POSTSupply results to the interrogation queries. This information is used to classify the userinto a zone.

Even if there are no questions returned, clients MUST POST information here in orderfor zone classification to occur. A sample response would be:


56

{ type: 'EPC', client_info: { client_type: 'EXTRAWEB', equipmentID: 'demoEquipmentIdentifier', }, interrogation_info: responses }


Input{ "type": "object", "properties": { "client_info": { "description": "Information about the client device", "type": "object", "properties": { "client_type": { "description": "Type of client being used.", "type": "string", "enum": [ "CT", "EXTRAWEB", "MC" ] }, "equipmentID": { "description": "Unique identifier of the piece of equipment being used.", "type": "string" } } }, "interrogation_info": { "description": "", "type": "object", "properties": { "AVXXXXXXXX": { "description": "This is the Reference ID of the interrogation rule, and it may have more than one.", "type": "boolean" } } }, "type": { "description": "Type of interrogation results", "type": "string", "enum": [ "EPC", "RECURRING_EPC" ] }


57

}}

Output{ "type": "object", "properties": { "dataPrivacyWarning": { "description": "A privacy warning message to be shown when personal devices are detected.", "type": "string" }, "epcUpdateInterval": { "description": "How often the client must resubmit interrogation results. If not present, equal to zero, or null then no recurring checks are required.", "type": "integer" }, "is_ct_allow": { "description": "Whether tunnel access is allowed for the user.", "type": "boolean" }, "registerDeviceState": { "description": "Is personal device registration needed?", "type": "string", "enum": [ "PDA_ALREADY_AUTHORIZED", "PDA_DISABLED", "PDA_ERROR", "PDA_MUST_REGISTER", "PDA_RE_REGISTER" ] }, "sessionContextId": { "description": "Session context of this user, used for subsequent logging.", "type": "integer" }, "tunnelClientsDisabled": { "description": "Are tunnel clients currently disabled?", "type": "boolean" }, "zoneChanged": { "description": "Only present when doing recurring checks. Will be true if the zone has changed from the previous one.", "type": "boolean" }, "zoneCommand": { "description": "What action the client must take when classified into this zone. May be one of ALLOW, DENY, REMEDIATE, or LOGOUT.", "type": "string", "enum": [


58

"ALLOW", "DENY", "LOGOUT", "REMEDIATE" ] }, "zoneName": { "description": "The name of the zone that the user was classified into.", "type": "string" }, "zoneType": { "description": "The type of zone that the user was classified into.", "type": "string", "enum": [ "allow", "application-access", "deny", "remediate" ] } }}

© 2016 Dell Inc.


59

Authentication API Help -...

Documents

Transcript of Authentication API Help -...