Forum Discussion

David_G__33241's avatar
David_G__33241
Icon for Nimbostratus rankNimbostratus
Feb 24, 2015
Solved

Custom Deny Ending in Access Policy

When you create a custom ending in an access policy, it is pretty straight forward to change the messages that appear on the screen. This can be done directly in the VPE under "Edit Endings;Customization or in Advanced Customization. Using either method, you can change the session denied message from

 

this: to this:

 

(Just added the ***** to show what can be modified)

 

My scenario is that the user has just clicked on an embedded link in an email that launches the Edge Client on an iPad. This takes him to vpn.company.com/register where the access policy will grab the UDID from his iPad (which requires the use of the Edge Client), ask him to authenticate with SecurID so that we know who he is, and then the information is automatically emailed to an internal support person via the email event in the access policy. Once this is done, the user is presented with a VPE message informing him what will happen next, and then the session is denied. I do not want the user to see the standard "denied" message which tells him absolutely nothing useful. It also presents him with a "click here" link which will push him back to the main URL and he will not be able to logon since his registration has not yet been processed.

 

My question is, how do I get rid of the last line completely? Ideally I would like to get rid of the session reference number line as well. I have looked through my.acl.inc, logout.inc, header.inc, apm*.css, etc. but the code that displays this is not jumping off the page at me.

 

Could someone point me in the right direction?

 

Thanks,

 

David

 

APM 11.5.1 HF7

 

APM
deployment
security
  • matt_64003's avatar
    matt_64003
    Feb 24, 2015

    Have you tried replacing the text that you don't want to display?

     

    For instance, under Advanced Customization -> Localization (tab) -> Customization Settings -> Access Profiles -> {Access Profile Name} -> Access Policy -> Ending Pages -> Deny -> General, replace the New Session Text and New Session Link with something that will leave blank space - like a

     

    .

     

4 Replies

Sort By
  • matt_64003's avatar
    matt_64003
    Icon for Cirrus rankCirrus
    Feb 24, 2015

    Have you tried replacing the text that you don't want to display?

     

    For instance, under Advanced Customization -> Localization (tab) -> Customization Settings -> Access Profiles -> {Access Profile Name} -> Access Policy -> Ending Pages -> Deny -> General, replace the New Session Text and New Session Link with something that will leave blank space - like a

     

    .

     

    • David_G__33241's avatar
      David_G__33241
      Icon for Nimbostratus rankNimbostratus
      Feb 24, 2015
      Matt - I never thought of that - it works great. I have to say I'm surprised that a link could be replaced with a

      but this does completely blank the session link and text. It would still be handy to locate the code because there is no way to do the same for the session reference number although it is not the end of the world.

       

  • Michael_Jenkins's avatar
    Michael_Jenkins
    Icon for Cirrostratus rankCirrostratus
    Feb 24, 2015

    Along the same lines at @matt mentioned, you can actually edit the PHP code for the deny page in the Advanced Customization page. If you change the Edit Mode to Advanced and then drill down to the deny page (Access Profiles >> (Profile Name) >> Access Policy >> Ending Pages >> Deny). Not sure if it would be the logout.inc or the my.acl.inc (i think it's the latter) that you'd want to change, but you can edit the page code there, adding or removing whatever you want.

    With this method, you can remove the whole section about the session id in the page.

  • David_Gill's avatar
    David_Gill
    Icon for Cirrus rankCirrus
    Feb 24, 2015

    I had originally tried changing some instances of "visible" to "hidden" but this did not work. I later commented out the actual code and this did work. The code in question was:

     

    document.getElementById("sessionDIV").innerHTML = '
%[session_id_caption]  ' + display_session + '
';
document.getElementById("sessionDIV").style.visibility = "visible";

    This is from logout.inc.

     

    By the way it is worth noting that this is a custom ending therefore it is not the original logout.inc that is being modified. I would not change that one.

     

    Case closed. Thanks, folks!