Create an authentication policy that is triggered by the selector, sends the user to the external IdP, and fulfills the policy contract.
- Go to Authentication > Policies > Policies.
- Click Create New Instance.
- Click Add Policy.
- On the Policy page In the Name field, enter a name for the policy.
- Optional: In the Description field, enter a description for the policy.
- Click in the Policy field, and select Selectors in the menu.
- Select your selector.
- For the No option, click Continue.
- For the Yes option, select IdP Connections in the menu, and select your IdP connection..
- For the Fail option, click Done.
- For the Success option, select Policy Contracts in the menu, and select your policy contract.
- Click Contract Mapping.
- On the Attribute Sources & User Lookup tab, click Next.
-
On the Contract Fulfillment tab, map the
memberOf
,subject
, andusername
attributes. If your policy contract has additional attributes, select No Mapping in the Source menu for those attributes.-
For the
memberOf
attribute, select IdP Connection in the Source menu andmemberOf
in the Value menu. -
For the
subject
attribute, select IdP Connection in the Source menu and SAML_SUBJECT in the Value menu. -
For the
username
attribute, select IdP Connection in the Source menu and SAML_SUBJECT in the Value menu.
-
For the
- On the Issuance Criteria tab, click Next.
- On the Summary tab, review your configuration. Click Done.
- On the Policy page, click Done.
- On the Policies tab, click Save.