I have 3 access policies assigned to 3 virtual servers; login, app1 and app2. These share a common top level domain.
The first access policy for login authenticates the sesssion and assigns a webtop with resources. Some portal access resources had to be removed as when rewritten they didn't function correctly. These were moved to app1 and app2.
A requirement exists that users always pass through the login and only have access to applications that they're are assigned, however to get app1 and app2 to redirect to login meant using the multi-domain sso configuration with the authentication redirection url and cookie setting in each access policy so they match. This is working and if a user tries to browse to app1/2 they are redirected first to login.
However any user who can authenticate to login is then automatically granted access to app1 and app2 as their access policies are not evaluated, i understand why this happens. My question is therefore is there another way to restrict these apps, whilst maintaining the single sign on webtop portal?
I don't know if this will work in your environment but it is possible to assign an ACL upon initial APM authentication based on an AD/LDAP group query. This ACL could say - regardless of what you gained access to via authenticating to that redirected login page - you are still only allowed access to these IP networks that were assigned based off of your group membership.