Hi Zen,
I tried your suggestion as per below:
**************************************************************************************************************************************
The point is, you can't actually directly redirect to the IWA *.ntc url that you want. You need to create the policies and let policy server do the redirecting for you.
What I can think of, the only OOTB way to achieve this solely by configuration is to have 2 realms in your SSO Domain. each having a different Auth scheme applied.
Pre-requisite is you must have your IWA agent servers created and added separately into the 2 different AD
You have the 2 groups of users created as separate user directories.
Then you have your auth scheme created, let's call them IWA1 and IWA2
Let's assume the application URL is https://myapp.mycompany.com/
In the SSO domain, make sure both usertype 1 and usertype 2 are added as user directories.
Your first realm will be for resource "/"
This is protected by IWA1
Your second realm will be for resource "/?usertype=2"
This is protected by IWA2
In both realms, create "OnAuthAttempt" and "OnAuthReject" rules.
suffice to say, both realms should also have the web agent action rules for GET and POST.
In policy, the responses for OnAuthAttempt and OnAuthReject of the "/" realm will have on-reject-redirect to https://myapp.mycompany.com/?usertype=2
The responses for OnAuthAttempt and OnAuthReject of the "/?usertype=2" realm will have on-reject-redirect to a common error page that tells the user he/she is not allowed to access the app.
*************************************************************************************************************************************
But the issue is that OnAuthReject Redirect Rules are not getting triggered even when the user is putting in the incorrect credentials(username or password).
We are facing below issues:
1. We are getting constantly prompted by IWA-1 on the server to provide the credentials. Is there any way we can stop getting prompt ? I checked in the IE browser option and have option for IWA authentication already checked.
2. In case we provide wrong userid and password fallback to IWA-2 doesn't happen. It keeps showing prompt coming from iwa-1.
Thanks,
Pallavi.