Single Sign-on uses the open standard Open Policy Agent (OPA) as the authorization policy engine to evaluate authorization policies for access to the applications. You can create rule-based or OPA Rego authorization policies using attributes defined on the users in the Advanced Authentication repository. The authorization policies allow you to limit access to applications or appmarks depending on the LDAP attributes and values that Single Sign-on reads when a user accesses an application.
Single Sign-on contains an authorization service that manages the rule-based authorization policies. You create the authorization policies when you create the applications or edit existing applications. You can also create authorization policies on stand-alone appmarks.