JacobBice (Customer) asked a question.
How can we ensure that when access is requested for a non active directory application, that the active directory SSO group is granted to the user?
We have a number of applications in our environment that require an SSO AD group to be able to access the system, but are collected into RSA with non-AD access. Without using business roles, is there a good method to ensure that any user who requests access to a specific application is also granted an AD group associated with that application?
I think the easiest approach would be handle this process in a workflow.
After the request is approved, you can create (using web services in a WF) a new request to add the relevant AD group for SSO.
You will need to add some logic into to the workflow. If app is A and then add group AA for SSO.
This request (for the AD group) will not be subjected to additional approvals.