cancel
Showing results for 
Search instead for 
Did you mean: 

SSL VPN Sign in Policy, Realm Design Question

Highlighted
Regular Contributor

SSL VPN Sign in Policy, Realm Design Question

Hello Experts

 

I have AD authentication server. I have different type of users like normal employee, hr users, contractors, mobile users etc.

 

I have to give different type of access to these different type of users and some users shared the resources. My question is that. How many realm, sign in policy and roles I need to put.

 

As my understanding authentication server is same so only on realm and ultimately single sign in policy.

 

Please give your suggestions

3 REPLIES 3
Highlighted
Frequent Contributor

Re: SSL VPN Sign in Policy, Realm Design Question

Hi,

 

In our case, we use put the users in AD groups and then each group have its own role in SA. Each time a user need a pool of resources, we give a certain group in AD, and in the role mapping we merge the roles...

 

If you want I can detail it a little bit further.

 

Regards,

Highlighted
Regular Contributor

Re: SSL VPN Sign in Policy, Realm Design Question

Hello Flip

 

Thanks for the reply. So you mean you have only one realm and one sign in policy and depending upon the groups return by AD, you are assigning the roles? Could you please elaborate in more details. Like Employee needs some access and HR user need employee access plus some additional access.

 

Appreciated your input

Highlighted
Frequent Contributor

Re: SSL VPN Sign in Policy, Realm Design Question

Hi Aeroplane,

 

I use some realms (and its sign in policy etc) just because the authentication server we use.

 

In each realm role mapping, one of the first roles is to apply to all users global session options and UI settings.

 

Then the role mapping is done using groups in AD, and to each AD group i give a SA role. We use groups, because it is easier in SA to do the role mapping, but with expressions, you can algo use AD OU structure, or source IP. For example, I've a rule to permit roaming between wifi and wired networks inside or networks in HQ, based in their IPs.

 

Lets say you have these DNs

 

userDN = 'cn=John Harding,ou=hr,ou=users,c=Company'
userDN = 'cn=John Doe,ou=eng,ou=users,c=Company'

 

I would add role mapping to match an OU=users and give Role Users, and other role mapping to OU=hr, and give Role HR.

 

Then lets say you thave two web profiles:

 

Profile 1 - Company Intranet

Profile 2 - HR tools

 

Then I will apply Profile 1 to Role Users and Profile 2 to Role HR.

 

So a person from HR will receive both Company Intranet and HR tools, but John Doe just receive the Intranet.

 

And do not forget to check the options in the end of role mapping configuration:

----
When more than one role is assigned to a user:
 *   Merge settings for all assigned roles

----

The merge it is the option to do this magic Smiley Happy

 

This is a very simple example, and as you can imagine, you can do a full mesh of combinations as you want. In one of my realms I've more than 250 entries in the role mapping, in network connect access policy it is almost 300 and about 100 web profiles. In my case, almost each user it have its own set of resources... even two persons in the same team, can receive diferente thinks... Until today I just have problems in limit of ACLs...

 

Regards,