Configuring permissions to access the web application
To allow users to authenticate using a UPN address as their SAML-based identity, add their email addresses with appropriate permissions to the web application. The SAML-based identity is as specified in the
New-SPTrustedIdentityTokenIssuer
command with the -IdentifierClaim $upnClaimMap.InputClaimType
parameter.Complete the following steps to configure a web application for permissions based on UPN:
- On the Central Administration home page, clickApplication Management.
- On the Application Management page, in theWeb Applicationssection, clickManage web applications.
- Click the appropriate web application, and then clickUser Policy.
- InPolicy for Web Application, clickAdd Users.
- In theAdd Usersdialog box, click the appropriate zone inZones, and then clickNext.
- In theAdd Usersdialog box, click theBrowseicon in the lower, right-hand side of theUsersbox.
- In theSelect People and Groupsdialog box, type the UPN of a user account inFind, and then click theSearchicon.
- In the search results, clickUPN. Under the name of your AD FS identity provider, click the UPN of the user underDisplay Name. ClickAdd, and then clickOK.
- InPermissions, click the appropriate level of permissions.
- Repeat Step 6 through Step 9 for additional UPN of users with the same level of permissions.
- ClickFinish, and then clickOK.