Authenticating from the Client Scripting API

This feature allows users to log in to the privileged web access console and Jump to an endpoint using the PA Client Scripting API.

The Client Scripting API URL follows the format of https://access.example.com/api/client_script, where access.example.com is your appliance hostname.

The API accepts a client type (web_console), an operation to perform (execute), and a command (start_jump_item_session). No other commands are supported for the web_console client type.

If the user is logged into the desktop access console when the Client Scripting API URL is accessed with type=web_console, then the user is logged into the privileged web access console and disconnected from the desktop access console. If this behavior is not desired, then the user must use a Client Scripting API URL with type=rep instead of type=web_console.

Conversely, if the user is logged into the privileged web access console and the API calls type=rep, the user is logged into the desktop access console and disconnected from the privileged web access console.

Here is an example of a valid Client Scripting API request:

  • https://access.example.com/api/client_script?type=web_console&operation=execute&action=start_jump_item_session&search_string=ABCDEF02

If the user is already logged into the privileged web access console, the above request runs the command in the browser tab running the privileged web access console. In this case, the command starts a session with the Jump Client whose hostname, comments, public IP, or private IP matches the search string "ABCDEF02."

If the user is not already logged into the privileged web access console, the above request opens a new browser tab and directs the user to /login to authenticate (this step is skipped if the user is already logged in to /login). The user is then redirected to the privileged web access console, and the command starts a session with the Jump Client whose hostname, comments, public IP, or private IP matches the search string "ABCDEF02."

In both cases, if more than one Jump Item matches the search criteria, the user must select the correct Jump Item from a list. If no Jump Items match the search criteria, the privileged web access console shows an error message to the user.

All of the search criteria for the start_jump_item_session command are supported with type=web_console, including:

  • jump.method
  • search_string
  • client.hostname
  • client.comments
  • client.tag
  • client.public_ip
  • client.private_ip
  • session.custom.<attribute code name>