Product Documentation

Traffic profiles

After creating at least one forms or SAML sso profile, you must next create a traffic profile.

Note

In this feature, the terms “profile” and “action” mean the same thing.

To create a traffic profile by using the command line interface

At the command prompt, type:

add tm trafficAction <name> [-appTimeout <mins>][-SSO ( ON | OFF ) [-formSSOAction <string>]][-persistentCookie ( ENABLED | DISABLED )][-InitiateLogout ( ON | OFF )]

Example


add tm trafficAction Traffic-Prof-1 –appTimeout 10 -SSO ON -formSSOAction SSO-Prof-1

To modify a session profile by using the command line interface

At the command prompt, type:

set tm trafficAction <name> [-appTimeout <mins>] [-SSO ( ON | OFF ) [-formSSOAction <string>]] [-persistentCookie ( ENABLED | DISABLED )] [-InitiateLogout ( ON | OFF )]

Example

``` pre codeblock set tm trafficAction Traffic-Prof-1 –appTimeout 10 -SSO ON -formSSOAction SSO-Prof-1


## To remove a session profile by using the command line interface

At the command prompt, type:

```rm tm trafficAction <name>```

### Example

rm tm trafficAction Traffic-Prof-1


## To configure traffic profiles by using the configuration utility

1.  Navigate to **Security > AAA - Application Traffic > Traffic.**
1.  Navigate to **Security > AAA - Application Traffic > Policies > Traffic.**
1.  In the details pane, click the Profiles tab.
1.  On the Profiles tab, do one of the following:
    -  To create a new traffic profile, click **Add.**
    -  To modify an existing traffic profile, select the profile, and then click **Edit.**
1.  In the **Create Traffic Profile** or **Configure Traffic Profile** dialog box, specify values for the parameters.
    -  Name\*—name (Cannot be changed for a previously configured session action.)
    -  AppTimeout—appTimeout
    -  Single Sign-On—SSO
    -  Form SSO Action—formSSOAction
    -  SAML SSO Action—samlSSOAction
    -  Enable Persistent Cookie—persistentCookie
    -  Initiate Logout—InitiateLogout
1.  Click **Create** or **OK**. The traffic profile that you created appears in the Traffic Policies, Profiles, and either the Form SSO Profiles or SAML SSO Profiles pane, as appropriate.

## Support for AAA.USER and AAA.LOGIN expressions

The AAA.USER expression is now implemented to replace the existing HTTP.REQ.USER expressions. The AAA.USER expression is applicable to handle non-HTTP traffic, such as Secure Web Gateway (SWG) and role-based access (RBA) mechanism. The AAA.USER expressions are equivalent to HTTP.REQ.USER expressions.

You can use the expression at a variety of actions or profiles configuration.

At the command prompt, type:

```add tm trafficAction <name> [SSO (ON|OFF) [-userExpression <string>]```

### Example

add tm trafficAction tm_act -SSO ON -userExpression “AAA.USER.NAME”

Done

   add tm trafficPolicy tm_pol true tm_act

Done

    bind lb vserver lb1 -policyName tm_pol -priority 2 ```

Note

If you use HTTP.REQ.USER expression, a warning message “HTTP.REQ.USER has been deprecated. Use AAA.USER instead” appears on the command prompt.

  • AAA.LOGIN Expression. The LOGIN expression represents pre-login, also known as the login request. The login request can be from Citrix Gateway, SAML IdP, or from OAuth authentication. The Citrix ADC will abstract the required attributes from policy configuration. The AAA.LOGIN expression contains the attributes, which can be fetched based on the following:
    • AAA.LOGIN.USERNAME. The username (if found) is fetched from the current login request. The same expression applied to a non-login request (determined by a authentication, authorization, and auditing) results in an empty string.
    • AAA.LOGIN.PASSWORD. The user password (if found) is fetched from the current login request. The expression results in an empty string if the password is not found.
    • AAA.LOGIN.PASSWORD2. The second password (if found) is fetched from the login request.
    • AAA.LOGIN.DOMAIN. The domain information is fetched from the login request.
  • AAA.USER.ATTRIBUTE. The AAA.USER.ATTRIBUTE expressions have now an integer associated with it. The attributes can be grouped and name the string with an appropriate name. The authentication, authorization, and auditing module looks up user sessions attribute and AAA.USER.ATTRIBUTE(“string”) would query the hash table for that particular attribute. For example, if Attributes(“samaccountname”) is set, AAA.USER.ATTRIBUTE(“samaccountname”) would query the hash map and would fetch the value corresponding to “samaccountname.”