Customer is in the process of migrating AD domains from one federation to another for it's users. The customer wants to create an "any" rule that will allow a policy to apply if the customer successfully authenticates to _either_ configured AD realm (via BCAAA). Is this supported on the ProxySG devices? Can a combined source/destination object be created with either AD realm in mode proxy-ip?

Release : 7.3.7.1

Component : Default-Sym

If the two domains have trust in between, it's not really needed to create separate IWA realm for each domains. Just one IWA realm from one of the domain will do, for example, creating IWA realm for Domain A, so if a user account from Domain B try to authenticate, Domain A should be able to forward that request to Domain B since both have trust.

There is another option of using LDAP instead of IWA for one of the domains and by doing this, you could use the Sequence realm where you could have one IWA realm and one LDAP realm in the sequence. However LDAP is not a single sign-on and might caused authentication pop-up on the user browser.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/introduction/sequence-realm-authentication.html