Split authorization is the ability to use an LDAP realm in conjunction with an IWA realm to provide more control over a user/group based on attributes provided by the LDAP server.
As an example a customer may set up authentication via an IWA realm and then create policy leveraging a specific LDAP attribute to authorize, or not, a users access to a specific site.
Note that this feature can only be activated via the CLI and the policy it uses can only be created in CPL, ie there is currently no GUI or VPM support for this feature See the SGOS 6.7 Content Policy Language Reference for more details
As of SGOS 6.7.2 customers now have the ability to use split authorization in conjunction with IWA-Direct and LDAP realms, please note that IWA-BCAAA realms are not supported.
An example setup might be as follows
Example config (CLI only)
SG#(config iwa-direct IWA_DIRECT)authorization ?
realm-name Specify the realm for authorization
self Authorize with this realm
SG#(config iwa-direct IWA_DIRECT)authorization realm-name AD_LDAP
authenticate(IWA_DIRECT) authenticate.force(no) authenticate.mode(auto)
realm=IWA_DIRECT user.authorization_name.suffix="OU=InternetUsers,DC=customer,DC=domain,DC=com" url.category=("Auctions") Deny