I have a typical use case here for providing access to the federated applications. there are 2 set of users - Sales and Normal who need to access the same federated applications. The Sales User are into external n/w and Normal users are within company Intranet. The sales user have their details in AD-sales and Normal users use AD-Normal.
Here is the solution suggested.
User tries to access federated application externally >> We check at our SSO side whether the user is Normal or Sales from AD-Normal or Ad-Sales >> No change in flow for Normal User (Internally authenticated through IWA-1, Internal Policy Server Accepts and gets access to Saas app)>> For Sales User External Authentication to be done through IWA-2 (Integrated to Internal Policy Server) and then once successfully authenticated pass the control back to internal SSO and perform user mapping between AD-Sales and AD-Normal and pass the mapped sAMaccount name from AD-Normal and provide access to the Sales user on federated application.
I need clarity on:
How will my Internal Policy Server accept the authentication from IWA-2, as IWA-2 will be in other external domain? DO we need to have the cookie provider solution set up here?
How to do the conditional redirect from SSO to different IWA servers based on user's presence in different ADs ?