You have trusted an identity provider.
For more information, see Trusting an Identity Provider .
Use this procedure to enable identity federation when no previous linking between the accounts exists. Interactive account linking and automatic account creation enable users to federate their accounts during authentication.
You can also use out-of-band account linking with persistent federation type, but the linking must be established ahead of time.
For more information, see Configuring Federation Type Persistent Users .
Interactive account linking
In this mode, if there is no pre-existing federation or no user is found on the service provider with the same name ID, the service provider prompts the user to log on. When the user logs on, the service provider prompts the user to federate the accounts. If the user accepts, the service provider writes the name ID from the user account on the identity provider to the user attribute configured for the name ID on the service provider. If the user declines, the service provider logs the user on as usual, but does not federate the accounts.
If you select the option Allow interactive linking of accounts , the default User ID Mapping Mode value is E-mail . You can specify other values for the User ID Mapping Mode by selecting the option User Attribute .
Interactive account linking provides the following options:
To enable the identity provider to create a persistent name ID if none exists for the user account on the identity provider, select the Allow Identity Provider to Create Name ID (AllowCreate) checkbox. The service provider sets the AllowCreate attribute on the NameIDPolicy element to 'true" for that permission.
To enable the user to create and federate a new account on the service provider, enable self-registration.
For more information, see Configuring Self-Registration .
Automatic account creation
In this mode, if there is no pre-existing federation or no user is found on the service provider with the same name ID, the service provider creates a user account. To create the account, the service provider uses the SAML 2.0 attributes sent by the identity provider. Either way, when the user logs on, the service provider writes the name ID from the user account on the identity provider to the user attribute configured for the name ID on the service provider.
If you select the Allow automatic creation of accounts checkbox, then the specified User ID Mapping Mode attributes are E-mail and Logon ID . You can specify other values by selecting User Attribute for the mapping mode.
To use custom user management engine (UME) attributes with SAML 2.0 attributes, you must add them for SAML on the service provider.
For more information, see Adding Custom User Attributes for SAML .
Create a mapping between the SAML 2.0 attributes and the UME attributes of the service provider.
Attributes marked as mandatory must be present and have values. Otherwise, the service provider rejects the entire authentication attempt. The service provider does not create the user account without the mandatory values.
Determine any group or role memberships by mappings or default assignments.
You can create a mapping between SAML attributes, and roles and groups. You can predefine which roles and groups any created users belong to by default.
Choose from the following configuration options:
To enable the identity provider to create a name ID if none exists for the user account on the identity provider, select the Allow Identity Provider to Create Name ID (AllowCreate) checkbox.
To enable the service provider to overwrite existing user attributes with data sent as SAML 2.0 attributes, select the Update attributes, roles and groups at login checkbox.
The table below illustrates a mapping between SAML 2.0 attributes and UME attributes. Included are the values for a user named Laurent Becker. The attribute for last name is marked as mandatory. This means if this SAML 2.0 attribute is empty or missing, the service provider rejects the SAML response. The service provider does not create the user account without the required attributes.
SAML 2.0 Attribute |
Is Mandatory |
Value |
UME Attribute |
---|---|---|---|
1st-name |
No |
Laurent |
firstname |
2nd-name |
Yes |
Becker |
lastname |
|
No |
Laurent.Becker@example.com |
|
Choosing other modes of federation
If you do not select interactive or automatic account linking, the federation mode will depend on your selection for the User ID Mapping Mode . You can select from the following options:
User ID Mapping Mode Values |
Description |
---|---|
|
The value is the e-mail address. The service provider will search for a user for which the e-mail address corresponds to the identifier. |
Kerberos Principal Name |
The service provider will handle the received user identifier as if it is in the format principal@realm and will look for a user for which the principal and realm account attributes match the user identifier. |
Logon Alias |
The value is the logon alias. The service provider will search for a user for which the logon alias corresponds to the identifier. |
Logon ID |
The ID with which the user logs on interactively. The service provider will search for a user for which the logon ID corresponds to the identifier. |
User Attribute |
The value is a user attribute configuring name and optional namespace. The service provider will search for a user for which the user attribute corresponds to the identifier. |
Windows Name |
The service provider will handle the received user identifier as if it is in the format domain/principal and will look for a user for which the domain and principal account attributes match the user identifier. |
You can use this field to configure any realms or domains for the name ID formats E-mail , Windows Name , and Kerberos, or to restrict the scope of the trusted providers. For example, you can allow user IDs ending with sap.com and ban all the others.
You can also define a group in the regular expression pattern. The extracted substring is the value of this group. For example, if you set the regular expression (.+)\Q@company.de\E, and the user's e-mail is john@company.de, then the regular expression will return john.
For example, if the service provider receives user IDs with the name John, a prefix or a suffix to this user ID will make the ID unique. That way the service provider will know which trusted provider to authenticate.
These attributes provide the basis for the user on the service provider. Attributes marked as mandatory must be present and have values. Otherwise the service provider rejects the entire authentication attempt. The service provider does not create the user account without the mandatory values. You can also create a mapping between SAML attributes, and roles and groups or predefine the roles and groups to which users belong.
For more information, see the following:
For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.
Donna Moore has recently configured her network to SAML 2.0. The users are still logging in to each system with a separate user ID and password. Donna has set up a new identity provider with all the users and assigned each user a name ID. She has just upgraded her legacy systems to support SAML 2.0 as service providers. In each system she trusts the SAML 2.0 identity provider and requires the name ID format. Since all the users already know their passwords in each system, she enables interactive account linking. Whenever a user logs on to a system for the first time since conversion, the user enters his or her logon information and the service provider adds the name ID from the identity provider to the local account. Donna does not need to go through the laborious process of adding the name ID to every account in every system. The users do it themselves.