You can optionally create an issuance authorization rule to control which users can
access IBM® Verify.
Procedure
-
Go to the ADFS Management Console.
-
Click in the ADFS folder.
-
Select the relying party trust that you previously created.
The trust is displayed in the Actions pane.
-
Click Edit Claim Rules.
-
Select the Issuance Authorization Rules tab.
-
Remove the default Permit Access to All Users rule.
-
Add a rule called Cloud_Identity_Users Only.
Use the template Permit or Deny Users Based on an Incoming Claim.
Configure it as shown in the following figure.
-
Select Group SID from the menu for the Incoming claim
type.
-
Use Browse to select the group name in your Active Directory whose members are going to access
SaaS apps through IBM Verify.
Note: In many organizations, this group includes all employees and this selection is not
needed.
