Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

connection (Identity Management Advanced Query)

 

Syntax

Hierarchy Level

Release Information

Statement introduced in Junos OS Release 15.1X49-D100.

Description

Configure parameters for connecting the SRX Series to the Juniper Identity Management Service server to obtain user identity and device information.

For the SRX Series device to obtain user identity information, you must first establish a connection to the Juniper Identity Management Service server. The parameters to specify for the connection include the protocol, the IP address of the Juniper Identity Management Service server, and the information to authenticate the SRX Series device to the Juniper Identity Management Service server.

If you are using more than one Juniper Identity Management Service server, you must configure each server separately. The SRX Series device always attempts to connect to the primary server first. If the primary server fails, the SRX Series device falls back to the secondary server. The SRX Series device periodically probes the failed primary server and reverts to it when it is available.

Only configuration of the primary server is mandatory. You are not required to use a secondary server.

The SRX Series advanced user identity query feature queries the Juniper Identity Management Service for user identity information that the SRX Series stores in its authentication table and uses to authenticate users. Use of the Juniper Identity Management Service allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting.

Warning

Before you use this feature, you must disable any other actively used options under the [edit services user-identification] hierarchy. You cannot commit this configuration if active directory authentication and the ClearPass query and webapi functions are configured and committed.

To obtain device information, such as device identity, groups, and the operating system, from the Juniper Identity Management Service server using either the batch-query or ip-query configuration, you must set the device authentication source, as follows.

connect-method- Configure the protocol to be used for the SRX Series device connection to Juniper Identity Management Service (JIMS). The SRX Series device connects to the Juniper Identity Management Service to obtain user identity information.

port- Configure the port on the Juniper Identity Management Service server that the SRX Series device uses to connect to the server.

query-api- Configure the prefix of the URL path for querying user identities. This value is used to construct the prefix of the path for queries for individual users, as well as for ip-query and batch-query requests, each of which has a unique suffix:

  • For IP query, query-api/ip/

  • For batch query, query-api/users/

  • For user-query query-api/user

The default value for query-api is query-query/v2.

For example, for a batch query, assume that the query API is configured as user-query/v2. To generate the complete URL, the prefix is combined with the connection method, which is HTTPS, the IP address of the Juniper Identity Management Service server, expressed as a variable in this example (JIMS), the beginning timestamp, begintime={timestamp}, and the number of user identity information items to be provided in the record that the Juniper Identity Management Service server returns, entry_count={count}.

'https://JIMS/user_query/v2/users/endpoints?begintime={timestamp}&entry_count={count}’

token-api- The path of the URL for acquiring the access token for OAuth2 authentication (RFC 6749). The Juniper Identity Management Service server requires that the SRX Series device authenticate to it using OAuth2. The SRX Series device uses the Client Credentials grant type for this purpose.

The following example shows the default tokenAPI, oauth_token/oauth, combined with the connection method, https, and the Juniper Identity Management Service server IP address placeholder to create the complete URL:

https://JIMS/oauth_token/oauth.

The advanced user identity query feature, to which this statement belongs, allows you to obtain user identity information from the Juniper Identity Management Service through queries. It allows you to provision users locally and have their authentication information made available to other sites in your network for policy enforcement and reporting.

Options

connect-methodMethod of connection

Values:

  • http—HTTP connection

  • https—HTTPS connection

portServer port

Default: 443

Range: 1 through 65535

query-apiQuery API
token-apiAPI of acquiring token for OAuth2 authentication

The remaining statements are described separately.

Required Privilege Level

  • services—To view this statement in the configuration.

  • services-control—To add this statement to the configuration.