Environment
Novell Access Manager 3.1 Support Pack 1 Interim Release 1 applied - requirement
Teaming and Conferencing 2.0
Situation
Teaming configuration options for interoperability with NAM:
Teaming 2.0's installer.xml file contains settings in the <SSO> section for use with a proxy device such as the Access Gateway. To use Teaming through a NAM Access Gateway and use Identity Injection for Single Sign On, Teaming needs to "trust" the AG so that it will then process Authorization header credentials. Teaming will accept only a simple type username (ie. user1) and password in the Authorization header.
To configure Teaming to trust a device, run script "installer-teaming.linux" and follow the prompts: select "Reconfigure settings", choose Advanced Settings, then accept defaults down to option "Enable Access Gateway" (yes), then under Access Gateway address(es) include the ip address of the AG (wildcards like 164.99.*.* are allowed). Logins will then only be allowed from those addresses. If Authorization header credentials are not present or are incorrect, user will be prompted for login using Basic.
Following is an example of an installer.xml file with settings for use with iChain or NAM:
<SSO>
<iChain type="1" enable="true">
<Logoff url=”https://dbmhteaming.cit.novell.com/AGLogout"/>
<Proxy ipaddr="10.251.202.80"/>
<WebDAVProxy host="webdav.cit.novell.com" enable="true"/>
</iChain>
</SSO>
where:
<iChain type="1" enable="true">
-type is always 1. If enable=true only ip addresses listed in <Proxyipaddr> are allowed access to Teaming (others see a blank page or access denied message). In this document, this setting is always assumed to be at “1” and “true”. When “true”, Teaming will process user credentials in the Authorization header for the purpose of single sign on.
<Logoff url=”http://dbmhteaming.cit.novell.com/AGLogout”>
-This setting is used for simultaneous logout of Teaming and the proxy device. URL should be that of the Teaming proxy service (or one that qualifies for rewriting) with path path /AGLogout.
<Proxy ipaddr="10.251.202.80"/>
-is a comma-separated list of ip addresses of machines which will be allowed access to Teaming. When using NAM to provide access to the Teaming server, this list should contain the address(es) used by the Access Gateway(s) for connections to the Teaming server. Note that wild cards can be used (ex: <Proxy ipaddr="151.155.254.*,192.11.*.*"/)
<WebDAVProxy enable=”false” host=webdav.company.com"/>
This option is used in an iChain environment to allow separation of Teaming and webDAV content across two proxy servicess for the purpose of using a Form type login for Teaming and a Basic login for webDAV. It is not required for use with the NAM Access Gateways because authentication types can be set at the protected resource level rather than at the proxy service level as with iChain.
Access Manager sample configurations for use with Teaming
Following are sample configurations which have been used during testing with NAM 3.1.1 and Teaming 2.0. Note that with each configuration, users will see a form type login to Access Manager when accessing Teaming's html content, and a Basic type login when accessing Teaming's webDAV content. Because session sharing is not possible between a browser and a webDAV client, the user may be prompted for login multiple times when accessing webDAV content.
Proxy service type: Domain-based multi-home
This configuration provides protected access to Teaming html and webDAV content using a domain-based proxy service, single sign on using identity injection, and simultaneous logout.
NAM setup detail:
Proxy service type: domain-based multi-home (example Published DNS Name=dbmhteaming.cit.novell.com)
SSL enabled on Public side (port 443), non-ssl on private (Connect Port: 8080)
Host Header: Web Server Host Name: enabled (ex: internal.dbmhteaming.cit.novell.com)
“Web Servers” page-> TCP Connect Options->Data Read Timeout=1200 (to avoid timeout problems when uploading files)
HTML Rewriting: Word profile with “value” (without quotes) added to “Variable or Attribute Name to Search for is” list (needed for proper rewrting in workflow area “Form and View Designers” page)
Create LAG touch file /var/novell/.incCOSSize
Add a Bypass type PIN list entry for the published url of the Teaming proxy service For example:
URL Mask=teaming.cit.novell.com (DNS name of proxy service)
Pin Type=Bypass
Protected Resource setup for Teaming html content:
Protected Resource “pr-html”:
-path=/*
-Authentication Procedure: Secure Name/Password – Form type contract
-Identity Injection: enabled, policy “ii-simple” (injects Credential Profile LDAP name and password into the Authorization headers)
Protected Resource setup for Teaming webDAV and AJAX content:
Protected Resource “pr-dav”:
-path= <two paths as below>
/ssfs/* (for webDAV content)
/ssf/a/do?* (for AJAX content)
-Authentication Procedure:
“Contract:”=<same contract as used in pr-html above>
“Non-Redirected Login:” enabled
“Realm:” = Teaming
“Redirect to Identity Server When No Authentication Header is Provided:” disabled
-Identity Injection: enabled, policy “ii-simple” (same policy as used with pr-html)
Simultaneous Logout:
Enabled in Teaming's installer.xml and set to the Teaming proxy service url plus /AGLogout as the path (ex https://dbmhteaming.cit.novell.com/AGLogout)
Teaming setup options (installer.xml):
<SSO>
<iChain type="1" enable="true">
<Logoff url="https://dbmhteaming.cit.novell.com/AGLogout"/>
<Proxy ipaddr="10.251.202.80"/>
<WebDAVProxy host="" enable="false"/>
</iChain>
</SSO>
...where
<Logoff url="https://dbmhteaming.cit.novell.com/AGLogout"/>
is the proxy service' public DNS and path for logout of NAM
<Proxy ipaddr="10.251.202.80"/>
is the ip address used by the Access Gateway when connecting to Teaming
Proxy Service Type: Path-based multi-home (Remove Path on Fill disabled)
This configuration provides protected access to Teaming html and webDAV content using a path-based proxy service where option “Remove Path on Fill” is disabled, single sign on using identity injection, and simultaneous logout. With this sample, users would access teaming with a url similar to https://teaming.cit.novell.com/teaming”.
NAM setup detail:
Proxy service type: path-based multi-home (example Published DNS Name=teaming.cit.novell.com)
SSL enabled on Public side (port 443), non-ssl on private (Connect Port: 8080)
Multi-homing Path List: /ssf, /ssfs, /teaming
Remove Path on Fill: disabled
Host Header: Web Server Host Name: enabled (ex: internal.teaming.cit.novell.com)
“Web Servers” page-> TCP Connect Options->Data Read Timeout=1200 (to avoid timeout problems when uploading files)
HTML Rewriting: Word profile with “value” (without quotes) added to “Variable or Attribute Name to Search for is” list (needed for proper rewrting in workflow area “Form and View Designers” page)
Create LAG touch file /var/novell/.incCOSSize as workaround for 518039
Add a Bypass type PIN list entry for the published url of the Teaming proxy service For example:
URL Mask=teaming.cit.novell.com (DNS name of proxy service)
Pin Type=Bypass
Protected Resource setup for Teaming html content:
Protected Resource “pr-html”:
-path= <two paths as below>
/ssf/*
/teaming/*
-Authentication Procedure: Secure Name/Password – Form type contract
-Identity Injection: enabled, policy “ii-simple” (injects Credential Profile LDAP name and password into the Authorization headers)
Protected Resource setup for webDAV and AJAX content:
Protected Resource “pr-dav”:
-path= <two paths as below>
/ssfs/* (for webDAV content)
/ssf/a/do?* (for AJAX content)
-Authentication Procedure:
“Contract:”=<same contract used in pr-html above>
“Non-Redirected Login:” enabled
“Realm:” = Teaming
“Redirect to Identity Server When No Authentication Header is Provided:” disabled
-Identity Injection: enabled, policy “ii-simple” (same policy used with pr-html)
Simultaneous Logout:
Enabled in Teaming's installer.xml and set to the Teaming proxy service url plus /AGLogout as the path (ex https://teaming.cit.novell.com/AGLogout)
Teaming setup options (installer.xml):
<SSO>
<iChain type="1" enable="true">
<Logoff url="https://teaming.cit.novell.com/AGLogout"/>
<Proxy ipaddr="10.251.202.80"/>
<WebDAVProxy host="" enable="false"/>
</iChain>
</SSO>
...where
<Logoff url="https://teaming.cit.novell.com/AGLogout"/>
is the proxy service' public DNS and path for logout of NAM
<Proxy ipaddr="10.251.202.80"/>
is the ip address used by the Access Gateway when connecting to Teaming
Proxy Service Type: Path-based multi-home (Remove Path on Fill enabled)
This configuration provides protected access to Teaming html and webDAV content using a path-based proxy service where option “Remove Path on Fill” is enabled, single sign on using identity injection, and simultaneous logout. With this sample, users would access teaming with a url similar to https://teaming.cit.novell.com/testTC20/teaming”.
NAM setup detail:
Proxy service type: path-based multi-home (example Published DNS Name=teaming.cit.novell.com)
SSL enabled on Public side (port 443), non-ssl on private (Connect Port: 8080)
Multi-homing Path List: /testTC20
Remove Path on Fill: enabled
Reinsert Path in “set=cookie” header: enabled
“Allow pages to be cached by browser”: enabled
Host Header: Web Server Host Name: enabled (ex: internal.teaming.cit.novell.com)
“Web Servers” page-> TCP Connect Options->Data Read Timeout=1200 (to avoid timeout problems when uploading files)
HTML Rewriting:
The rewriter setup is such that html content does not have POST data rewritten. This allows the Send E-Mail feature in Teaming to work properly when using Teaming through NAM. When using Send E-Mail, the generated mail message contains a link that points to the URL of the current location of the browser when “Send Email” is clicked. when the user completes the mail and clicks OK, a POST is used to send the email data to the Teaming server. The POST data has the URL of the browser's current location, and in this case it will be the EXTERNAL scheme, dns, port, and accel sub-path of the proxy service. When the AG forwards this POST, the data should NOT be rewritten to the accel's internal scheme, name, port nor should the pbmh sub-path be removed. By not rewriting, when a user then opens the mail and clicks the link the browser will be sent to the URL of the pbmh DoStrip accel for Teaming (as desired). This will cause issues if both internal (direct) and external (thru an AG) users are trying to use the email link, but normally, when Teaming is used thru an AG it is NOT used with direct connections. New rewriter setup which uses two separate rewriter profiles is similar to the following:
Word Rewriter Profile 1 (For webDAV content, top profile on list):
If Requested URL is:
https://<DNS_of_pbmh_service>/testTC20/ssfs/*
(this entry is used so that this rewriter profile is only active on webDAV content)
Rewrite Inbound Query String Data: enabled
Rewrite Inbound Post Data: enabled
Rewrite Inbound Headers: enabled
Additional Strings to Replace:
Search = /ssfs
Replace=$path/ssfs
Word Rewriter Profile 2 (For html content, second on profile list):
Rewrite Inbound Query String Data: enabled
Rewrite Inbound Post Data: disabled
Rewrite Inbound Headers: enabled
“value” (without quotes) added to “Variable or Attribute Name to Search for is” list (needed for proper rewrting in workflow area “Form and View Designers” page
Additional Strings to Replace:
Search = /ssf
Replace=$path/ssf
All other settings in these two rewriter profiles are at default settings. Be sure to move these profiles to the top of the ordered list of rewriter profiles as noted above.
Create LAG touch file /var/novell/.incCOSSize as workaround for 518039
Add a Bypass type PIN list entry for the published url of the Teaming proxy service For example:
URL Mask=teaming.cit.novell.com (DNS name of proxy service)
Pin Type=Bypass
Protected Resource setup for Teaming html content:
Protected Resource “pr-html”:
-paths=<two paths as below>
/testTC20/ssf/*
/testTC20/teaming/*
-Authentication Procedure: Secure Name/Password – Form type contract
-Identity Injection: enabled, policy “ii-simple” (injects Credential Profile LDAP name and password into the Authorization headers)
Protected Resource setup for webDAV and AJAX content:
Protected Resource “pr-dav”:
-paths= <two paths as below>
/testTC20/* (for webDAV content)
/testTC20/ssf/a/do?* (for AJAX content)
-Authentication Procedure:
Use an Authentication Procedure with settings:
“Contract:”=<same contract used in pr-html above>
“Non-Redirected Login:” enabled
“Realm:” = Teaming
“Redirect to Identity Server When No Authentication Header is Provided:” disabled
-Identity Injection: enabled, policy “ii-simple” (same policy used with pr-html)
Simultaneous Logout:
Enabled in Teaming's installer.xml and set to the Teaming proxy service url plus /AGLogout as the path (ex https://teaming.cit.novell.com/AGLogout)
Teaming setup options (installer.xml):
<SSO>
<iChain type="1" enable="true">
<Logoff url="https://teaming.cit.novell.com/AGLogout"/>
<Proxy ipaddr="10.251.202.80"/>
<WebDAVProxy host="" enable="false"/>
</iChain>
</SSO>
...where
<Logoff url="https://teaming.cit.novell.com/AGLogout"/>
is the proxy service' public DNS and path for logout of NAM
<Proxy ipaddr="10.251.202.80"/>
is the ip address used by the Access Gateway when connecting to Teaming
Proxy Service Type: Non multi-home:
Not tested
Single sign on configuration
Identity Injection
Teaming will process a received Authorization header for login credentials. The username must be in simple format (ie. User1). Teaming will only process Authorization headers in requests from trusted hosts. See section “Teaming configuration options for interoperability with NAM:” above for details.
Form fill
A form fill policy can be used for single sign on to Teaming instead of Identity Injection. Form fill is more difficult to configure and is prone to failures if form changes result in match criteria failure (for example, if the login form element names or failure messages change when the build is upgraded). However, form fill may be useful in some configurations.
For compatibility with form fill, Teaming's installer.xml should have enable=”false” in the <SSO> section. For example:
<SSO>
<iChain type="1" enable="false">
<Logoff url=""/>
<Proxy ipaddr=""/>
<WebDAVProxy host="" enable="false"/>
</iChain>
</SSO>
Sample Protected Resource configuration for using form fill for single sign on to Teaming html content with a domain-based proxy service (note that webDAV content will continue to use Basic authentication as required by the protocol):
Protected Resource setup for form fill specific content:
Protected Resource “pr-ff”:
-path= <two paths as below>
/ssf/a/do?p_name=ss_forum&p_action=1&action=__login*
/ssf/a/do?p_name=ss_forum&p_action=1&entryId=ss_user_id_place_holder&action=view_ws_listing&binderId=2
-Authentication Procedure: Secure Name/Password – Form type contract
-Identity Injection: disabled
-Form Fill: <TC 2.0 form fill policy enabled>
Protected Resource setup for other html content:
Protected Resource “pr-html”:
-path=<two paths as below>
/ssf/*
/teaming/*
-Authentication Procedure: <same contract as used in pr-ff above>
-Form Fill policy:<none>
-Identity Injection Policy: <none>
Protected Resource setup for Teaming webDAV and AJAX content:
Protected Resource “pr-dav”:
-path= <two paths as below>
/ssfs/* (for webDAV content)
/ssf/a/do?* (for AJAX content)
-Authentication Procedure:
“Contract:”=<same contract used in pr-html above>
“Non-Redirected Login:” enabled
“Realm:” = Teaming
“Redirect to Identity Server When No Authentication Header is Provided:” disabled
-Form Fill policy: <none>
-Identity Injection Policy: enabled, policy “ii-simple” (injects Credential Profile LDAP Name and Password in Authorization header)
Sample Form Fill policy:
The 'Additional Information' section of this TID includes a sample form fill policy that provides single sign on, simultaneous logout,
and login error handling. Save this policy to an XML text file and import it into the iManager policy database (select Policy -> Import). AGain, change the IP addresses to reflect the ones from your setup.
Additional Information
<!--Sample XML file generated by XMLSpy v2005 rel. 3 U (http://www.altova.com)-->
<NxpeService xmlns:xpeml="urn:novell:schema:xpeml:2.0:policy" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:noNamespaceSchemaLocation="./nxpeService-2.0.xsd" Revision="0.1">
<xpeml:PolicyCollection schemaVersion="2.0">
<xpeml:PoliciesDefinitionList LastModified="4294967295" LastModifiedBy="String">
<xpeml:Policy Enable="true" UserInterfaceID="PolicyID_xpemlPEP_AGFormFill_12507087418820" Category="" Name="ff-LAG-Teaming20-nonmh" LastModified="1250723324614" PolicyID="PolicyID_xpemlPEP_AGFormFill_12507087418820" DateCreated="4294967295" Description="" DateArchived="4294967295" LastModifiedBy="cn=admin,o=novell">
<xpeml:PolicyEnforcementPointRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlPEP_AGFormFill" />
<xpeml:ConfigurationUsageList />
<xpeml:Rule RuleID="RuleID_125070874188200" RuleOrder="1" Enable="1" UserInterfaceID="RuleID_125070874188200" ConditionCombiningAlgorithm="DNF" Description="" Priority="0">
<xpeml:ActionList>
<xpeml:Action UserInterfaceID="ActionID_1239034177691" Order="3">
<xpeml:ActionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlAction_FormFill" />
<xpeml:InstanceParameterList>
<xpeml:ParameterGroup UserInterfaceID="FormSelectionCriteria" EnumerativeValue="3310" GroupName="FormSelectionCriteria" Order="1">
<xpeml:Choice UserInterfaceID="ChoiceID_10_1239034177856" EnumerativeValue="10" Enabled="true" ChoiceName="Cgi" Order="1">
<xpeml:Parameter Value="p_name%3Dss_forum%26p_action%3D1%26action%3Dview_ws_listing%26binderId%3D2%26entryId%3Dss_user_id_place_holder" UserInterfaceID="ParameterID_1_1239034177856" EnumerativeValue="1" Name="Criteria" />
</xpeml:Choice>
<xpeml:Choice UserInterfaceID="ChoiceID_20_1239034177860" EnumerativeValue="20" Enabled="true" ChoiceName="Form" Order="2">
<xpeml:Parameter Value="" UserInterfaceID="ParameterID_1_1239034177860" EnumerativeValue="1" Name="Criteria" />
</xpeml:Choice>
</xpeml:ParameterGroup>
<xpeml:ParameterGroup UserInterfaceID="FormSelection" EnumerativeValue="3310" GroupName="FormSelection" Order="2">
<xpeml:Choice UserInterfaceID="ChoiceID_20_1239034177864" EnumerativeValue="20" Enabled="true" ChoiceName="Form" Order="1">
<xpeml:Parameter Value="loginForm" UserInterfaceID="ParameterID_2_1239034177864" EnumerativeValue="2" Name="Name" />
</xpeml:Choice>
</xpeml:ParameterGroup>
<xpeml:ParameterGroup UserInterfaceID="FillOptions" EnumerativeValue="3320" GroupName="FillOptions" Order="3">
<xpeml:Choice UserInterfaceID="ChoiceID_10_1239034177868" EnumerativeValue="10" Enabled="true" ChoiceName="InputField" Order="1">
<xpeml:Parameter Value="j_username" UserInterfaceID="ParameterID_1_1239034177868" EnumerativeValue="1" Name="Name" />
<xpeml:Parameter Value="text" UserInterfaceID="ParameterID_2_1239034177868" EnumerativeValue="2" Name="Type" />
<xpeml:Parameter Value="NEPXurn%7E3Anovell%7E3Acredentialprofile%7E3A2005-03%7E2Fcp%7E3ASecrets%7E2Fcp%7E3ASecret%7E2Fcp%7E3AEntry%7E40%7E40%7E40%7E40WSCQSSToken%7E40%7E40%7E40%7E40%7E2Fcp%7E3ASecrets%7E2Fcp%7E3ASecret%7E5Bcp%7E3AName%7E3D%7E22secret-TC20%7E22%7E5D%7E2Fcp%7E3AEntry%7E5Bcp%7E3AName%7E3D%7E22name%7E22%7E5D" UserInterfaceID="ParameterID_3_1239034177868" EnumerativeValue="3" Name="FillValue" ForceDataRead="-1">
<xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlContextDataElement_SharedSecret" />
</xpeml:Parameter>
<xpeml:Parameter Value="none" UserInterfaceID="ParameterID_4_1239034177868" EnumerativeValue="4" Name="DataConversion" />
</xpeml:Choice>
<xpeml:Choice UserInterfaceID="ChoiceID_10_1239034504844" EnumerativeValue="10" Enabled="true" ChoiceName="InputField" Order="2">
<xpeml:Parameter Value="j_password" UserInterfaceID="ParameterID_1_1239034504844" EnumerativeValue="1" Name="Name" />
<xpeml:Parameter Value="password" UserInterfaceID="ParameterID_2_1239034504844" EnumerativeValue="2" Name="Type" />
<xpeml:Parameter Value="NEPXurn%7E3Anovell%7E3Acredentialprofile%7E3A2005-03%7E2Fcp%7E3ASecrets%7E2Fcp%7E3ASecret%7E2Fcp%7E3AEntry%7E40%7E40%7E40%7E40WSCQSSToken%7E40%7E40%7E40%7E40%7E2Fcp%7E3ASecrets%7E2Fcp%7E3ASecret%7E5Bcp%7E3AName%7E3D%7E22secret-TC20%7E22%7E5D%7E2Fcp%7E3AEntry%7E5Bcp%7E3AName%7E3D%7E22password%7E22%7E5D" UserInterfaceID="ParameterID_3_1239034504844" EnumerativeValue="3" Name="FillValue" ForceDataRead="-1">
<xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlContextDataElement_SharedSecret" />
</xpeml:Parameter>
<xpeml:Parameter Value="none" UserInterfaceID="ParameterID_4_1239034504844" EnumerativeValue="4" Name="DataConversion" />
</xpeml:Choice>
</xpeml:ParameterGroup>
<xpeml:ParameterGroup UserInterfaceID="SubmitOptions" EnumerativeValue="3330" GroupName="SubmitOptions" Order="4">
<xpeml:Choice UserInterfaceID="ChoiceID_10_1239034177876" EnumerativeValue="10" Enabled="true" ChoiceName="AutoSubmit" Order="1">
<xpeml:Parameter Value="false" UserInterfaceID="ParameterID_1_1239034177876" EnumerativeValue="1" Name="Debug" />
<xpeml:Parameter Value="true" UserInterfaceID="ParameterID_2_1239034177876" EnumerativeValue="2" Name="MaskData" />
</xpeml:Choice>
<xpeml:Choice UserInterfaceID="ChoiceID_40_1239034177880" EnumerativeValue="40" Enabled="false" ChoiceName="InsertHeaderText" Order="2">
<xpeml:Parameter Value="" UserInterfaceID="ParameterID_2_1239034177880" EnumerativeValue="2" Name="HeaderText" />
</xpeml:Choice>
<xpeml:Choice UserInterfaceID="ChoiceID_50_1239034177884" EnumerativeValue="50" Enabled="true" ChoiceName="JavaScript" Order="3">
<xpeml:Parameter Value="" UserInterfaceID="ParameterID_1_1239034177884" EnumerativeValue="1" Name="FunctionsToKeep" />
<xpeml:Parameter Value="" UserInterfaceID="ParameterID_2_1239034177884" EnumerativeValue="2" Name="StatementsForSubmit" />
</xpeml:Choice>
</xpeml:ParameterGroup>
<xpeml:ParameterGroup UserInterfaceID="ErrorHandling" EnumerativeValue="3399" GroupName="ErrorHandling" Order="5">
<xpeml:Choice UserInterfaceID="ChoiceID_10_1239034177888" EnumerativeValue="10" Enabled="true" ChoiceName="Redirect" Order="1">
<xpeml:Parameter Value="http%3A%2F%2Fcit.novell.com%2FFillActionFailure1.html" UserInterfaceID="ParameterID_1_1239034177888" EnumerativeValue="1" Name="Url" />
</xpeml:Choice>
</xpeml:ParameterGroup>
</xpeml:InstanceParameterList>
</xpeml:Action>
<xpeml:Action UserInterfaceID="ActionID_1239039051968" Order="1">
<xpeml:ActionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlAction_FormLoginFailure" />
<xpeml:InstanceParameterList>
<xpeml:ParameterGroup UserInterfaceID="FormSelectionCriteria" EnumerativeValue="3310" GroupName="FormSelectionCriteria" Order="1">
<xpeml:Choice UserInterfaceID="ChoiceID_10_1239039052342" EnumerativeValue="10" Enabled="true" ChoiceName="Cgi" Order="1">
<xpeml:Parameter Value="user.logout%3Dtrue" UserInterfaceID="ParameterID_1_1239039052342" EnumerativeValue="1" Name="Criteria" />
</xpeml:Choice>
<xpeml:Choice UserInterfaceID="ChoiceID_20_1239039052347" EnumerativeValue="20" Enabled="true" ChoiceName="Form" Order="2">
<xpeml:Parameter Value="" UserInterfaceID="ParameterID_1_1239039052347" EnumerativeValue="1" Name="Criteria" />
</xpeml:Choice>
</xpeml:ParameterGroup>
<xpeml:ParameterGroup UserInterfaceID="LoginFailureProcessing" EnumerativeValue="3350" GroupName="LoginFailureProcessing" Order="2">
<xpeml:Choice UserInterfaceID="ChoiceID_10_1239039052352" EnumerativeValue="10" Enabled="true" ChoiceName="Redirect" Order="1">
<xpeml:Parameter Value="http%3A%2F%2Fmatt.lag.cit.novell.com%2FAGLogout" UserInterfaceID="ParameterID_1_1239039052352" EnumerativeValue="1" Name="Url" />
</xpeml:Choice>
<xpeml:Choice UserInterfaceID="ChoiceID_20_1239039052359" EnumerativeValue="20" Enabled="false" ChoiceName="DataMgmt" Order="2">
<xpeml:Parameter Value="mastercdn#ff-LAG-Teaming20-nonmh" UserInterfaceID="ParameterID_1_1239039052359" EnumerativeValue="1" Name="ClearSharedSecretsForPolicy">
<xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlContextDataElement_PolicyReference" />
</xpeml:Parameter>
</xpeml:Choice>
</xpeml:ParameterGroup>
</xpeml:InstanceParameterList>
</xpeml:Action>
<xpeml:Action UserInterfaceID="ActionID_1239051157467" Order="2">
<xpeml:ActionRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlAction_FormLoginFailure" />
<xpeml:InstanceParameterList>
<xpeml:ParameterGroup UserInterfaceID="FormSelectionCriteria" EnumerativeValue="3310" GroupName="FormSelectionCriteria" Order="1">
<xpeml:Choice UserInterfaceID="ChoiceID_10_1239051158092" EnumerativeValue="10" Enabled="false" ChoiceName="Cgi" Order="1">
<xpeml:Parameter Value="" UserInterfaceID="ParameterID_1_1239051158092" EnumerativeValue="1" Name="Criteria" />
</xpeml:Choice>
<xpeml:Choice UserInterfaceID="ChoiceID_20_1239051158096" EnumerativeValue="20" Enabled="true" ChoiceName="Form" Order="2">
<xpeml:Parameter Value="errorcode.login.failed" UserInterfaceID="ParameterID_1_1239051158096" EnumerativeValue="1" Name="Criteria" />
</xpeml:Choice>
</xpeml:ParameterGroup>
<xpeml:ParameterGroup UserInterfaceID="LoginFailureProcessing" EnumerativeValue="3350" GroupName="LoginFailureProcessing" Order="2">
<xpeml:Choice UserInterfaceID="ChoiceID_10_1239051158101" EnumerativeValue="10" Enabled="true" ChoiceName="Redirect" Order="1">
<xpeml:Parameter Value="http%3A%2F%2Fmatt.lag.cit.novell.com%2Fteaming" UserInterfaceID="ParameterID_1_1239051158101" EnumerativeValue="1" Name="Url" />
</xpeml:Choice>
<xpeml:Choice UserInterfaceID="ChoiceID_20_1239051158107" EnumerativeValue="20" Enabled="true" ChoiceName="DataMgmt" Order="2">
<xpeml:Parameter Value="mastercdn#ff-LAG-Teaming20-nonmh" UserInterfaceID="ParameterID_1_1239051158107" EnumerativeValue="1" Name="ClearSharedSecretsForPolicy">
<xpeml:ContextDataElementRef ElementRefType="ExternalWithIDRef" ExternalDocRef="AccessGateway-default:romaContentCollectionXMLDoc" ExternalElementRef="xpemlContextDataElement_PolicyReference" />
</xpeml:Parameter>
</xpeml:Choice>
</xpeml:ParameterGroup>
</xpeml:InstanceParameterList>
</xpeml:Action>
</xpeml:ActionList>
</xpeml:Rule>
</xpeml:Policy>
</xpeml:PoliciesDefinitionList>
</xpeml:PolicyCollection>
</NxpeService>