Make sure that you have configured at least two policy contracts to function as input and output contracts.
  1. In the Name field, type a name for the policy fragment.
  2. Optional: Change the identifier for the fragment. This ID will be used to reference input and output attributes in the advanced Expressions fulfillment option. It cannot be changed after the fragment has been created.
  3. Optional: Type a description for the fragment.
  4. Optional: From the Inputs list, select the input authentication policy contract that calling members will need to fulfill. The attributes contained in the contract will be available for use throughout the policy.

    Incoming user ID mapping is restricted to fragments with an input contract.

  5. Optional: From the Outputs list, select the output authentication policy contract that this fragment will fulfill. Calling members will be able to use the values of the attributes contained in the output policy contract.
  6. From the Policy list, select an IdP adapter, an IdP connection, a selector, or a fragment. (Detailed policy configuration instructions are provided in step 5 in Defining authentication policies.)

    You can select Fragments as the policy action and then select a policy fragment that you have created. When you select a fragment, click Fragment Mapping and use the in-product help links to access the topics that describe how to configure the mapping.

    1. Click Options and select the source and the attribute to be used as the incoming user ID.
    2. Click Rules and define authentication policy rules using attributes from the previous authentication source or from an earlier step in the policy. For more information, see Configuring rules in authentication policies.
    3. Configure Fail and Success paths. For a fragment to succeed, you must map it into a LIP or APC based on the output contract. You can also use a fragment in a calling policy and set both of the fragment's exit Fail/Success nodes to Done.

    The Copy and Paste feature lets you copy a policy path and paste it into another place in the same policy, another policy, or a policy fragment. After you copy and paste a path, follow the on-screen instructions to correct any errors.

    One benefit of this feature is that you can easily add a new step at the start or middle of an existing policy. To do that, copy and then remove the existing path below the point where you will define the new step. After you define the new step, paste the copied path back into the policy below the new step.

  7. Click Save.