What you are looking for is something like a "realm mapping", which is not an option on SA.

Authentication/authorization are tied to a realm, we cant map or present user dynamicall to different realms based on any condition.

User is mapped to a realm either by the sign in page he hits or the realm that he manually selects.

I kinda figured this out using HC and enforcement for up front checks before authentication... If this check fails I use a "custom instruction" with a Java re-direct to point to another sign-in-page and can therefore use another authentication / user realm type, in this scenario RSA instead of AD. On the back-end I finally do an evaluation of AV / FW and it seems everything is OK.

The only question I have now is...

On the role mapping...

I have two roles, FULL / Restricted.

The FULL / Restricted rolls have HC setup on them so FULL checks for the AV / FW, and Restiricted checks for nothing.

When a user succesfully authenticatates as FULL, both FULL and Restricted links show up as the users under the realm are AND-ed together so to speak.

The Restricted roll only shows when a user fails AV / FW check so that works as intended but... Is there anyway to not display restricted access links to people when they succesfully authenticate?

On the role mapping rule ensure that you enable " Stop processing rules when this rule matches", this ensure that your role mapping stops the point this rule is satisfied.

< please mark this post as 'accepted solution' if this answers your question that way it might help others as well, a kudo would be a bonus thanks >

But the users are not broken out into groups or anything so my criteria on both rules is "*" on user name.

I would like to be able to stop processing the rules based on HC passing or not, not simply the name.

Does that make sense...?

---

@colemtb wrote:

But the users are not broken out into groups or anything so my criteria on both rules is "*" on user name.

I would like to be able to stop processing the rules based on HC passing or not, not simply the name.

Does that make sense...?

---

Ideally HC policies can be applied at role level. Since the criteria is a * on user name you can evaluate appropriate HC for each role.

If the HC check fails they dont get this role.

Since you dont have stop rule processing turned ON in the first rule you will then be assigned to the next rule.

If the user passes HC check on the second role he will be only assigned to role2.

But if you are looking at stopping role mapping at rule1 based on the HC status I am afraid we cant do that.

In the event user gets assigned to role1 after passing HC, he will still be evaluated for role2 HC policy.

Yeah... so to summarize or just make sure you know where Im at...

In this example my HC policy is either a file is present or not.

Since my usernames are * the second rule, "file NOT present rule"; gets processed cause it's HC criteria, or therefore lack of; is always meet. Its UI options / bookmarks always display.

On the first rule If I "stop processing rules when this rule matches" I can't get to my second rule because "Rule:... If username... is *" is always meet. Like you say, you can't stop rule processing of rule one based on criteria in HC?

So basically I have to display both UI options for the FULL user role since Restricted is always meet?

Right

Here is how your policy could look:

Rule1: Username=*, HC policy = file check (required), role = FULL

Rule2: Username=*, no HC policy, role= restricted

When User who has full access logs in (he has the file), will be assigned to role=FULL.

Since "Stop rule is not enabled" he will be processed for rule2 and assigned to role=restricted.

When a user who has restricted access logsin (he has no file), he will fail the first rule and goto rule2.

Since rule2 does not need a HC policy he will be assigned to role=restricted.

Hope this is clear.