The Security Assertion Markup Language (SAML) 2.0 assertion should include all the
attributes you need to search for the service user on the service provider. Exactly what is
transported is a matter of negotiation between you and the operator of the identity provider.
The identity provider sends the SAML 2.0 attributes with their values in the assertion. For
each service user you configure a condition that consists of a set of
attribute=value pairs. When the SAML 2.0 assertion is evaluated, the
service provider checks each condition and selects the first service user whose condition is
fulfilled. If no condition is met, the default service user is authenticated. If no default
service user is configured, the service provider refuses the assertion and the authentication
fails.
Prerequisites
- You have configured the service provider to trust an identity provider and use the
Transient name ID format with Service
Users type.
- You have negotiated with the administrator of the identity provider to determine
what SAML 2.0 attributes you can expect to receive.
- You have created service users on the service provider that are to be
authenticated.
Procedure
- Under Service User Mapping, choose the
Add pushbutton.
- Enter the name of a service user.
- Choose the Modify Condition pushbutton.
- Define the combination of SAML 2.0 attributes and values for this condition.
- Choose the Add pushbutton.
- Enter the following data:
Table 1:
SAML 2.0 Configuration
Parameter |
Entry |
SAML 2.0 Attribute |
Name of the attribute as sent by the identity provider in
the SAML 2.0 assertion. |
Value |
The value the attribute must have to map the transient user
to the service user. |
- Add additional attributes and values as needed.
- Save your entries.
- Add additional users as needed.
- If necessary, add a default service user.