User-Agent Filtering - Why?

User agent string parsing is useful if you want to:

1. Automatically authenticate users only within a set of browsers or devices, or exclude known non-working ones
   
2. Allow other applications that don't support NTLM/Kerberos authentication, to proceed without NTLM/Kerberos authentication. 

In the case of our first example you might want to limit Single Sign-On to pre-approved platforms/browsers, for example to ensure safety compliance e.g treat users with Windows Phone differently from those with iOS or Android devices.

In the case of the second example, proceeding without NTLM/Kerberos authentication, you might want to let search bots access your application without failing to perform SSO. See the example below.

Example: Google Search Appliance

You may observe the following User-Agent string in your access log or jespa.log:

User-Agent: gsa-crawler (Enterprise; X7-ABFGARBZ74SAS; admin@example.com) 

You can copy/paste and use User-Agent Instant Parsing feature in User-Agent Filtering Configuration tab to convert this value into the EasySSO User-Agent rule format:

UNKNOWN,Unknown,Unknown,ROBOT,BOT,BOT

This can the be added as a blocklist rule as is or used as a basis to build a more relaxed/compact rule. Empty elements in a rule will match any value, so the sample rule shown below blocklists anything that is classified as browser type "ROBOT" and browser family "BOT", while ignoring device, os family, os version and browser version attributes.

,,,ROBOT,BOT,

The result is that NTLM/Kerberos authentication will not be demanded from GSA, and the bot will be able to proceed without SSO.

A word about using User-Agent filtering with Application Links: 

,,,TOOL,DOWNLOAD,
UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN,UNKNOWN