Brian wants to limit access to a federated service that uses Single Sign-On based on user attributes and group membership, as well as which federation member the user is logging in from. Which of the following options is best suited to his needs?

Access policies are built using information and attributes about access requests. If the policy requirements are met, the actions like allowing or denying access, or requiring additional authentication steps can be performed. Geolocation and time-based logins focus on a single information component, and account auditing is used to review permissions for accounts, not to perform this type of validation or policy-based control.