Skip to main content
McAfee Enterprise MVISION Cloud

Advanced Concepts when using ADFS as IDP for Contextual Access Control


After completing this how-to you will  able to scope users in ADFS  who shall be evaluated  for access control polices.

The principal is  that  we   solving  this by adding a “short-circuit” Cloud Access Policy in first place which does evaluate custom  ADFS  Attributes that is beeing  sent  for specific users which are in a special AD   member-group.


ADFS Setup

Please refer to this article how to setup SSO with ADFS and Access Control.

But do not change the Endpoint  URL in ADFS yet (pointing to RP), as if no Special Group is defined all users will be routed trough CAP.

Once done with above steps,  configure   an additional  SAML Assertion String in ADFS:

  • Go into ADFS Management console, navigate to Service then select "Claim Descriptions":


  • Right Mouse Click to add a new Claim Description:


  • Fill out properties as shown in the screen shot below:


Note:   You can use any attribute name you like as long as i t does match in the CAP shortcut policy we define later.

Also please note that the value of the  "Short Name"will be later used for evaluation in CAS  polices.


  • In Relying Party Trusts Section select your O365  entry and right mouse click to "Edit Claim Issuance Policy..."


  • Click "Add Rule":


  • Select "Sent Group Membership as a Claim":



  • Define a "Claim rule name",  select an AD User-Group that should applicable for this claim,  choose dropdown "Outgoing claim type" , select the claim we defined earlier above  and set "Outgoing claim value " to "TRUE".


Click on "OK"  to confirm and save settings.

Cloud Access Control  Setup (MVISION Cloud Dashboard)

On top of your existing Access  Control polices add another policy that we will use as a shortcut to only allow users to evaluate  the existing polices, if they have an special Claim (based on AD Group  we selected above).

  • Create an additional CAP rule and select the following criteria:


Note: The operator "is not" in "SAML  Expression"  is intended, as  we will redirect all users to O365  who does not have the special claim  from ADFS.

Once click on "Save"  this will conclude the CAP setup.


Example: This is how a SAML Trace (snippet)  will look like, if the user is in the particular AD group when the attribute  is being sent:

                <saml:Attribute AttributeName="SHNAccess" AttributeNamespace="">

Once done with the setup you can configure the Endpoint in ADFS  pointing to our reverse proxy.

  • Was this article helpful?