SSO across multiple domains and group membership check

You can limit the l4/l7 resources assigned to each group based off of the LDAP/AD memberof query result if that's what you mean by site-specific access.

After your login page and your AD auth or LDAP auth agent, use an LDAP/AD query agent in the visual policy editor and make a unique branch ending for each different result of the configurable memberof query. See the below document for information about the LDAP/AD query agent.

https://support.f5.com/kb/en-us/products/big-ip_apm/manuals/product/apm-authentication-single-sign-on-12-1-0/3.html

You can then use the advanced resource assign agent to assign unique portal access or application access resources based off of the result of the query agent. If you'd prefer to assign a network access resource with broad access, you can solve the granularity issue with an APM l4/l7 ACL. APM ACL's should also always be used with portal access resources.

Also take note of ensuring that no layered virtual server gets in the way of your ACL being assigned if dealing with network access resources. If so, be sure to attach the following irule to the layered virtual server in order to force the evaluation of the necessary ACL's: ACCESS::acl eval $acl_name_list.