Show TOC

Authentication with Service UsersLocate this document in the navigation structure

The Security Assertion Markup Language (SAML) 2.0 assertion should include all the attributes you need to search for the service user on the service provider. Exactly what is transported is a matter of negotiation between you and the operator of the identity provider. The identity provider sends the SAML 2.0 attributes with their values in the assertion. For each service user you configure a condition that consists of a set of attribute=value pairs. When the SAML 2.0 assertion is evaluated, the service provider checks each condition and selects the first service user whose condition is fulfilled. If no condition is met, the default service user is authenticated. If no default service user is configured, the service provider refuses the assertion and the authentication fails.


  • You have configured the service provider to trust an identity provider and use the Transient name ID format with Service Users type.
  • You have negotiated with the administrator of the identity provider to determine what SAML 2.0 attributes you can expect to receive.
  • You have created service users on the service provider that are to be authenticated.


  1. Under Service User Mapping, choose the Add pushbutton.
  2. Enter the name of a service user.
  3. Choose the Modify Condition pushbutton.
  4. Define the combination of SAML 2.0 attributes and values for this condition.
    1. Choose the Add pushbutton.
    2. Enter the following data:
      Table 1: SAML 2.0 Configuration
      Parameter Entry
      SAML 2.0 Attribute Name of the attribute as sent by the identity provider in the SAML 2.0 assertion.
      Value The value the attribute must have to map the transient user to the service user.
    3. Add additional attributes and values as needed.
  5. Save your entries.
  6. Add additional users as needed.
  7. If necessary, add a default service user.