Login constraint rules are applied to login module groups. For each set of login module groups in a login application, only one cannot have a login constraint rule applied to it.
When determining which login module group of a set to process, Identity Manager evaluates the first login module group’s constraint rule. If it succeeds, then it processes that login module group. If it fails, then it evaluates each login module group in turn, until a constraint rule succeeds or a login module group with no constraint rule is evaluated (and subsequently used).
If a login application will contain more than one login module group, then the login module group with no login constraint rules should be placed in the last position of the set.