Replaces the behavior configuration for an application in Access Gateway
Use this endpoint to define behavior settings for your application. For example, you can configure how your application handles session management and security policies.
This URL is used to redirect users to a custom login page. The URL must be valid and fully qualified.
error
string
Allows you to define error endpoints to call when errors occur.
Enum:
Description
OAG_ERROR_PATH
This option lets you define an error path for an app. By default, it shows the generic Access Gateway error page
APP_ERROR_PATH
This option displays an app-hosted error page. Set the app-hosted error page with the errorPath property. The errorPath must be a valid path in your app.
NO_APP_ERROR_PATH
Access Gateway doesn't perform any error behavior
CUSTOM_URL
This option redirects the user to a custom URL for error handling. Set the custom URL with the postErrorUrl property.
errorManaged
boolean
Indicates whether you manage error behavior in your IdP
errorPath
string
This is the path to the error endpoint URL. It can be relative or fully qualified, depending on what you use it for.
Note: The URL must be unique across the login, logout, and error behaviors. Access Gateway doesn't support using the same URL for multiple behaviors. The URL can't overlap with an existing defined policy.
globalTokenRevocation
boolean
Indicates whether an IdP can send a logout signal in case of a security event
inactive
string
Allows you to define the end-user experience when an application is inactive
Enum:
Description
OAG_DEFAULT_PAGE
This option displays default Access Gateway "App offline" page
CUSTOM_URL
This option redirects the user to a custom URL for inactivity. Set the custom URL with the inactiveUrl property.
If you use CUSTOM_URL as the inactive method, then inactiveUrl is the URL where end users are directed when an app is inactive.
login
string
Allows you to define login endpoints when users sign in and create user sessions
Enum:
Description
OAG_LOGIN_PATH
This option shows the Access Gateway local authentication module (Auth Module) sign-in page. Use a valid relative path in the protected app. The Auth module must refer to a previously defined Auth Module.
APP_LOGIN_PATH
This option uses the associated unprotected path to an app-hosted sign-in page. Use a valid relative path in the protected app.
NO_APP_LOGIN_PATH
This option doesn't use a login path
CUSTOM_URL
This option redirects the user to a custom URL after they sign in. Set the custom URL with the loginPath property.
loginManaged
boolean
Indicates whether you manage sign-in behavior in your IdP
loginPath
string
The path to the login endpoint URL. It can be relative or fully qualified, depending on which login method you use. It's executed after the user successfully signs in.
Note: The URL must be unique across the login, logout, and error behaviors. Access Gateway doesn't support using the same URL for multiple behaviors. The URL can't overlap with an existing defined policy.
logout
string
Allows you to define logout endpoints that help terminate user sessions
Enum:
Description
OAG_LOGOUT_PATH
This option signs the user out of Access Gateway and the application. Set the logout path with the logoutPath property.
OAG_LOGOUT_PATH2
This option signs the user out of Access Gateway and the application, with a different path
APP_LOGOUT_PATH
This option signs the user out of the application only
NO_APP_LOGOUT_PATH
This option does not sign the user out of the application
CUSTOM_URL
This option redirects the user to a custom URL for logout. Set the custom URL with the postLogoutUrl property
logoutPath
string
The path to the relative endpoint URL. Redirect users to this path when they sign out.
Note: The URL must be unique across the login, logout, and error behaviors. Access Gateway doesn't support using the same URL for multiple behaviors. The URL can't overlap with an existing defined policy.
maintenance
string
Allows you to define the end-user experience when an application is in maintenance mode
Enum:
Description
OAG_DEFAULT_PAGE
This option displays the default Access Gateway "App maintenance" page
CUSTOM_URL
This option redirects the user to a custom URL for maintenance. Set the custom URL with the maintenanceUrl property.
If you use CUSTOM_URL as the maintenance method, then maintenanceUrl is the URL where end users are directed when an app is in maintenance mode.
noSession
string
Allows you to define the end-user experience when Access Gateway has no session or the current session expires for an application
Enum:
Description
OAG_DEFAULT_PAGE
When no there's no session or an expired session, this option displays the Access Gateway "No session" page
IDP_REDIRECT
This option redirects the end user to Okta to reauthenticate. If their Okta session is still active, the end user is silently redirected back to the app with a refreshed app session.
IDP_FORCE_AUTHN
This option redirects the end user to Okta to reauthenticate, even if their Okta session is active
CUSTOM_URL
This option redirects the end user to a custom URL. Set the custom URL with the noSessionUrl property
The URL where an end user is redirected when no session or a session expiry is detected
policyDenied
string
Allows you to define the end-user experience when Access Gateway denies access to a resource if the user doesn't meet the requirements of a policy
Enum:
Description
OAG_DEFAULT_PAGE
When a policy denial is detected, this option displays the default Access Gateway policy failure page
STATUS_CODE_403
This option returns a blank page with the HTTP 403 Forbidden error
CUSTOM_URL
This option redirects the end user to a custom URL when the user doesn't fulfill the requirements of a policy. Set the custom URL with the policyDeniedUrl property.
If you use CUSTOM_URL as the error method, then postErrorUrl is the URL where end users are directed after an error occurs. The URL must be valid and fully qualified.
If you use CUSTOM_URL as the logout method, then postLogoutUrl is the URL where end users are directed after they sign out
sessionIntegrityFailure
string
Allows you to define the end-user experience when Access Gateway detects a session integrity failure.
For example, a session integrity failure can occur when end users change networks while maintaining an active app session.
Enum:
Description
OAG_DEFAULT_PAGE
When a session integrity failure is detected, this option displays the default Access Gateway security warning page
IGNORE
This option means that session integrity isn't enforced
IDP_FORCE_AUTHN
This option forces the end user to Okta so that they reauthenticate. After they sign in again, they're returned to the application.
IDP_REDIRECT
This option redirects the end user to Okta so that they reauthenticate. If their Okta session is still active, the end user is silently redirected back to the app with a refreshed app session.
STATUS_CODE_405
This option returns a blank page with the HTTP 405 Method Not Allowed error
CUSTOM_URL
This option redirects the end user to a custom URL when a session integrity failure is detected. Set the custom URL with the sessionIntegrityFailureUrl property.
The URL where an end user is redirected when a session integrity failure is detected
singleLogout
boolean
Indicates whether both the Access Gateway application session and IdP session are terminated when a user signs out. When singleLogout is true, both sessions are terminated.
When it's false, only the Access Gateway application session is terminated.
universalLogout
boolean
Indicates whether the user's Access Gateway and application sessions are terminated when they sign out. When it's true, users must sign in again to use Access Gateway or their applications.
When it's false, only the Access Gateway application session is terminated.
Note: Universal logout doesn't sign the user out of Okta.