User Agent Filtering - How To?

 How to allowlist or blocklist specific browsers based on User-Agent string

Instant User-Agent parsing

  1. In the EasySSO config screen go to the User-Agent Filtering Configuration tab (via NTLM/Kerberos and Advanced Configuration in EasySSO 4.0+)
  2. When you add a user-agent string into "Instant User-Agent parsing" and click parse, the result returned can be copy/pasted into either the include or exclude rules.


How to allowlist a certain type of client browser

Under User-Agent rules, specify each allowlist rule in the following format:

Device Type, OS Family, OS, Browser Type, Browser Family, Browser 

For example:  

COMPUTER,WINDOWS,WINDOWS_7,WEB_BROWSER,IE,IE11

Please note, an empty element in the rule will match anything i.e. a allowlist rule with an empty element is more "lax" than one with a specific value.

For example:  

COMPUTER,WINDOWS,,WEB_BROWSER,IE,

Multiple rules can be specified, one on each line. Empty lines will be ignored.

Lines starting with "#" are considered to be comments - you can use these to record justification notes about allowlisting a browser.

Once a rule is added to allowlist, only those browsers that match the rule will be requested to attempt NTLM/Kerberos Single Sign-On.

Allowlist takes precedence over the blocklist.

If there are no rules entered here or in the blocklist - any browser will be requested to attempt NTLM/Kerberos Single Sign-On.

How to blocklist a certain type of client browser

Under User-Agent Excluded Rules, specify each blocklist rule in the same format:

Device Type, OS Family, OS, Browser Type, Browser Family, Browser 

For example:  

UNKNOWN,UNKNOWN,UNKNOWN,TEXT_BROWSER,LYNX,LYNX

Please note, an empty element in the rule will match anything i.e. a blocklist rule with an empty element is more "broad" than one with a specific value.

For example:  

,,,TEXT_BROWSER,,

Multiple rules can be specified, one on each line. Empty lines will be ignored.

Lines starting with "#" are considered to be comments - you can use these to record justification notes about blocklisting a browser

Once a rule is added to blocklist, the browsers that match the rule will not requested to attempt NTLM/Kerberos Single Sign-On.

Allowlist takes precedence over the blocklist.

If there are no rules entered here or in the whitelist - any browser will be requested to attempt NTLM/Kerberos Single Sign-On.

A word about using User-Agent filtering with Application Links

When building links between Atlassian applications NTLMv2 or Kerberos is not supported and as such EasySSO on the "server" end needs to be instructed to ignore the "client" application.
If the "client" application has EasySSO as well, it needs to be configured in a similar way (i.e. to ignore the other one). This can be achieved either with IP Filtering or, more elegantly, with User-Agent Filtering.
For that just insert the exact syntax of the lines below into the User-Agent Excluded rules (i.e. blocklist):


,,,TOOL,DOWNLOAD,
UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN


EasySSO articles

Try for free

EasySSO for Jira, Confluence, Bamboo, Bitbucket and Fisheye/Crucible

Try for free