Multiple SAML attributes in global policy = logical OR

zpa
accesspolicy

(Lisa Lorenzin) #1

The February 7th ZPA feature release (https://help.zscaler.com/zpa/february-7-2018-release-update-summary-force-password-reset) adds the ability to specify multiple SAML attributes in a global access policy. Here’s some useful information on how this new feature works:

If you specify multiple SAML attributes in a single global access policy, they are applied as a logical OR.

In global access policies, we have a concept of operands and conditions; think of operands as a subset of conditions.

  • Individual entities, such as SAML Attributes, Applications, Application Groups, or Posture Profiles, are conditions.
  • Instances of an entity, such as a specified SAML Attribute or specified Posture Profile, are operands.

Multiple operands always behave as logical OR (e.g. between multiple SAML Attributes, between multiple Posture Profiles).

Multiple conditions always behave as logical AND (e.g. between SAML Attributes and Posture Profiles).

So if an administrator sets multiple SAML Attributes in a single global access policy, such as
group = employees
location = HQ
then users could access the applications in that policy if they had EITHER the group attribute with a value of employees, OR the location attribute with a value of HQ.

And if an administrator sets both a SAML Attribute and a Posture Profile in a global access policy, such as
SAML Attribute: group = employee
Posture Profile: Managed-Windows-Endpoint
then only users who have the group attribute with a value of employees, AND are on a device that matches the managed Windows endpoint profile, can access the applications in that policy.

Regards,
Lisa