access_control:
  default_policy: 'deny'
  rules:   
    - domain: '*.mydomain.com'
      policy: 'one_factor'