User flows

Prev Next

User flows define the policy details for an application. For more information on how to configure a user flow for each app type, see the following topics:

User flow editor

From the dashboard, click Create user flow. Alternatively, from the sidebar, click User Flows, and click New. Enter a name for the user flow and select an application to use. Click Create.

To edit an existing user flow, click User Flows from the sidebar and click the name of the user flow you want to edit.

The fields available on the next page are dependent on the type of app being defined.

Proxy apps

The name of the user flow appears at the top of the screen and can be edited. The application appears under the name. You can click the application to edit the app configuration, but you cannot change the application tied to the user flow.

  1. In the Application Dependencies section, you can add or edit service extensions, attribute providers, or identity providers to include when publishing the application. Select a dependency, select the mapping dependency for the attribute provider, and enter the username mapping attribute. Click Add to save your dependency. Repeat this process to add multiple dependencies.

  2. Under Access Control Policies, you can select a resource that you've defined in the application configuration to apply fine-grain access controls and pass user information through HTTP headers. Click Add to define the access control.

    1. On the Access Control page, select an authentication provider and the access policy you want to use.

      • Authentication: By default, users are denied access to the resource unless they are authenticated. You can select Allow unauthenticated users under Authentication if you want to allow access to unauthenticated users.

      • Authorization: By default, users are denied access to the resource unless granted access through an authorization rule.

        • You can select Allow all access if you want to allow all users access without an authorization rule.

        • If you wish to leave this option turned off, you can apply fine-grain access control and authorization by selecting Use rules to define access and using the boolean rule builder that appears on screen.

          • The rule builder allows you to add rules and conditions by provider. Additionally, you can add a rule or condition to restrict access based on HTTP request method. You can specify the HTTP method and create different access rules for reading a resource (using GET) versus modifying it (using POST or PUT).

        • Alternatively, you can select a service extension if you have any authorization service extensions already configured.

      • Service Extension Policy Decision Lifetime: Define the length of time when policies are re-evaluated by service extensions. If your user flow does not leverage a service extension for authorization or load attributes, you can skip this option.

        • Cached for the duration of the session: The policy decision will be cached for the lifetime of the session. For more information, see Max Lifetime.

        • Specify a duration: Set the duration of policy re-evaluation in seconds, minutes, or hours. The policy decision will be cached for the specified duration or until the session ends.

        • Continuous re-evaluation: The policy decision will not be cached and every request will be evaluated.

    2. Define the headers in the Headers section by entering the header name, selecting the provider, and entering the attribute. Click Add to save the header, and repeat to add multiple headers.

    3. If you've configured a Header Creation service extension, you can select it under Service Extensions. Click Add to save the service extension, and repeat to add multiple service extensions.

  3. The Headers section allows you to define broad policies for the application. Define the headers in the Headers section by entering the header name, selecting the provider, and entering the attribute. Click Add to save the header, and repeat to add multiple headers.

  4. If you've configured service extensions, you can select them under Service Extensions. Click Add to select service extensions for Header, Modify Request, Modify Response, Login, and Handle Unauthorized.

  5. To save the complete user flow, click Publish Preview at the top of the screen and proceed to Publish a Deployment.

SAML apps

The name of the user flow appears at the top of the screen and can be edited. The application appears under the name. You can click the application to edit the app configuration, but you cannot change the application tied to the user flow. However, you can add other configured SAML apps to the user flow.

  1. Under Authentication, select an IDP you've configured.

  2. If you've configured Build Claims or Build Relay State service extensions, you can select them under Service Extensions.

  3. The Authorization section allows you to define your access policy. By default, users are allowed access unless granted access through an authorization rule.

    • Allow all access is selected by default, and allows all users access without an authorization rule.

    • Select Use rules to define access to apply fine-grain access control and authorization. The Boolean rule builder appears after selecting this option, and allows you to add rules and conditions by provider.

    • Alternatively, you can select a service extension if you have any authorization service extensions already configured.

  4. In the Application Dependencies section, you can add or edit service extensions, attribute providers, or identity providers to include when publishing the application. Select a dependency, select the mapping dependency for the attribute provider, and enter the username mapping attribute. Click Add to save your dependency. Repeat this process to add multiple dependencies.

  5. The Claims section allows you to provide additional claims to this user. This maps claims to session attributes provided by the IDP(s) and any optionally defined AttributeProvider(s).

    1. Use this section to enter a claim name, select an attribute provider, and enter the attribute. Click Add to save your claim. Repeat this process to add multiple claims.

    2. Under NameID mapping, you can define custom NameID mappings in SAML responses. Select a provider and enter the attribute you want to define. Click Add to save the mapping.

  6. To save the complete user flow, click Publish Preview at the top of the screen and proceed to Publish a Deployment.

OIDC apps

The name of the user flow appears at the top of the screen and can be edited. The application appears under the name. You can click the application to edit the app configuration, but you cannot change the application tied to the user flow. However, you can add other configured OIDC apps to the user flow.

  1. Under Authentication, select an IDP you've configured.

  2. If you've configured Access Token or ID Token service extensions, you can select them under Service Extensions.

  3. The Authorization section allows you to define your access policy. By default, users are allowed access unless granted access through an authorization rule.

    • Allow all access is selected by default, and allows all users access without an authorization rule.

    • Select Use rules to define access to apply fine-grain access control and authorization. The Boolean rule builder appears after selecting this option, and allows you to add rules and conditions by provider.

    • Alternatively, you can select a service extension if you have any authorization service extensions already configured.

  4. In the Application Dependencies section, you can add or edit service extensions, attribute providers, or identity providers to include when publishing the application. Select a dependency, select the mapping dependency for the attribute provider, and enter the username mapping attribute. Click Add to save your dependency. Repeat this process to add multiple dependencies.

  5. The Claims section allows you to provide additional claims to this user. This maps claims to session attributes provided by the IDP(s) and any optionally defined AttributeProvider(s). Use this section to enter a claim name, select an attribute provider, and enter the attribute. Click Add to save your claim. Repeat this process to add multiple claims.

  6. To save the complete user flow, click Publish Preview at the top of the screen and proceed to Publish a Deployment.

API

No additional configuration is needed for API apps.