Configuring permissions to access the web application

To allow users to authenticate using a UPN address as their SAML-based identity, add their email addresses with appropriate permissions to the web application. The SAML-based identity is as specified in the
New-SPTrustedIdentityTokenIssuer
command with the
-IdentifierClaim $upnClaimMap.InputClaimType
parameter.
Complete the following steps to configure a web application for permissions based on UPN:
  1. On the Central Administration home page, click
    Application Management
    .
  2. On the Application Management page, in the
    Web Applications
    section, click
    Manage web applications
    .
  3. Click the appropriate web application, and then click
    User Policy
    .
  4. In
    Policy for Web Application
    , click
    Add Users
    .
  5. In the
    Add Users
    dialog box, click the appropriate zone in
    Zones
    , and then click
    Next
    .
  6. In the
    Add Users
    dialog box, click the
    Browse
    icon in the lower, right-hand side of the
    Users
    box.
  7. In the
    Select People and Groups
    dialog box, type the UPN of a user account in
    Find
    , and then click the
    Search
    icon.
  8. In the search results, click
    UPN
    . Under the name of your AD FS identity provider, click the UPN of the user under
    Display Name
    . Click
    Add
    , and then click
    OK
    .
  9. In
    Permissions
    , click the appropriate level of permissions.
  10. Repeat Step 6 through Step 9 for additional UPN of users with the same level of permissions.
  11. Click
    Finish
    , and then click
    OK
    .