APM Multi-Domain SSO
I have 3 access policies assigned to 3 virtual servers; login, app1 and app2. These share a common top level domain.
The first access policy for login authenticates the sesssion and assigns a webtop with resources. Some portal access resources had to be removed as when rewritten they didn't function correctly. These were moved to app1 and app2.
A requirement exists that users always pass through the login and only have access to applications that they're are assigned, however to get app1 and app2 to redirect to login meant using the multi-domain sso configuration with the authentication redirection url and cookie setting in each access policy so they match. This is working and if a user tries to browse to app1/2 they are redirected first to login.
However any user who can authenticate to login is then automatically granted access to app1 and app2 as their access policies are not evaluated, i understand why this happens. My question is therefore is there another way to restrict these apps, whilst maintaining the single sign on webtop portal?