SSO login request is denied by ABE

[alwayssummer]

Hi all, I think it's about time I learn how to use ABE correctly instead of just turning it off or switching to IE when it interferes. Here's a problem I was running into today:

[ABE] <LOCAL> Deny on {POST https://sso.from.mydomain.com <<< https://wikisite.we.use.com}
SYSTEM rule:
Site LOCAL
Accept from LOCAL
Deny

On another note, I'm not sure I get the purpose of the USER vs the SYSTEM section. I read the help, but I can't find the explanation. Does USER just mean it only applies when I'm logged in? Does it get processed before system?

[alwayssummer]

I think it is getting picked up by the local rule because I am using VPN to my company.

[alwayssummer]

Added:

Code: Select all

Site LOCAL
Accept from LOCAL .mycompany.com .mycopmpany.int .wikisite.com
Deny

And it loads now, but I'm still concerned about having it in SYSTEM. Should this rule be in USER?

[Thrawn]

Well done! Your rule is correct. My only suggestion is to narrow it down by adding a specific one before the default rule:

Code: Select all

Site https://sso.from.mydomain.com
Accept from .wikisite.we.use.com

Site LOCAL
Accept from LOCAL
Deny

On another note, I'm not sure I get the purpose of the USER vs the SYSTEM section. I read the help, but I can't find the explanation. Does USER just mean it only applies when I'm logged in? Does it get processed before system?

Actually I believe System goes first, but more to the point, both rulesets are processed. So User rules don't override System ones. Within a ruleset, once a rule matches, no more rules are processed for that request, but the other ruleset will still be applied. Most of the time, you should add your own rules to User, unless you need to modify or override the default rule. So in your case, you need System.