1. Go to Authentication > Policies > Policies.
  2. Click Create New Instance.
  3. Click Add Policy.
  4. On the Policy page In the Name field, enter a name for the policy.
  5. Optional: In the Description field, enter a description for the policy.
  6. Click in the Policy field, and select Selectors in the menu.
    Screen capture of the Policy menu with Selectors selected.
  7. Select your selector.
  8. For the No option, click Continue.
  9. For the Yes option, select IdP Connections in the menu, and select your IdP connection..
  10. For the Fail option, click Done.
  11. For the Success option, select Policy Contracts in the menu, and select your policy contract.
  12. Click Contract Mapping.
  13. On the Attribute Sources & User Lookup tab, click Next.
  14. On the Contract Fulfillment tab, map the memberOf, subject, and username attributes. If your policy contract has additional attributes, select No Mapping in the Source menu for those attributes.
    1. For the memberOf attribute, select IdP Connection in the Source menu and memberOf in the Value menu.
    2. For the subject attribute, select IdP Connection in the Source menu and SAML_SUBJECT in the Value menu.
    3. For the username attribute, select IdP Connection in the Source menu and SAML_SUBJECT in the Value menu.
  15. On the Issuance Criteria tab, click Next.
  16. On the Summary tab, review your configuration. Click Done.
  17. On the Policy page, click Done.
  18. On the Policies tab, click Save.