SSO restriction by AD groups

Orad

Hello everyone,
I've got SSO working with AD authentication.
But, i'm confused on how to restrict access based on AD Groups. Is it possible?
also, about non AD devices, can i create an exception list?
thank you

Zyxel_Jeff

Hi @Orad

You can add multiple AD server profiles on your device. Please refer to the below steps:

Configuration-> Object -> AAA Server -> Active Directory

And adding customized authentication methods for different AD authentication purposes.

Configuration -> Object -> Auth. Method -> Authentication Method

BTW, if you don’t want to use AD authentication method for some devices, you can create local user accounts for those devices. Configuration -> Object -> User/Group -> User -> Add

Orad

Thank you Jeff for your answer, it explains what i needed!
Now, if i understand it correctly - Base DN is used to channel restriction to a AD group or OU, is that correct? 
I can create a group in AD, and instead of "dc=domain,dc=local" for all users in the domain, set "dc=doman,dc=local,cn=AllowGroup" to allow only users in AD group AllowGroup?

Zyxel_Jeff

Hi @Orad

Your understanding is correct.

Base DN is the AD accounts directory access path on your AD server.

BTW, if you would like to restrict AD user to access what kind of web domain and content.

You can add an ext-group-user user account and add security policies to restrict this, please refer to the below steps:

Configuration->Object->User/Group>User->Add 

Entering user name, User type, Group Identifier(Base DN), Associated AAA object.

Adding Security policies to define the AD group user who can access what kind of web domain and content.