The Security Assertion Markup Language (SAML) 2.0 assertion should include all the attributes you need for the user in the service provider. Exactly what is transported is a matter of negotiation between you and the operator of the identity provider. The identity provider sends the attributes as attribute=value pairs. You need to know the name of the SAML 2.0 attribute and what kind of value it carries so you can map it to user attributes in AS Java. If the SAML 2.0 assertion includes all the required attributes, the service provider creates a user in memory and populates the mapped profile attributes with values. Use this procedure to define how this mapping defines users and their access rights.
You have configured the service provider to trust an identity provider and to use the federation type Persistent Users (Advanced) orthe federation type Virtual Users .
For more information, see:
You have negotiated with the administrator of the identity provider to determine which SAML 2.0 attributes you can expect to receive.
You have created any custom attributes you need on the service provider.
For more information, see Adding Custom User Attributes for SAML .
You have selected the Update attributes, roles, and groups at login checkbox.
You can configure the following:
Default user attributes
Assertion-based user attribute mappings
Assertion-based role and group assignments
Default user role and group assignments
Assigning Default User Attributes
Default user attributes are always assigned to users once the SAML authentication is successful.
On the Default User Attributes tab, choose the Add pushbutton.
Select a user attribute from the list of predefined user attributes.
Enter the value for the attribute.
Choose OK .
Add additional attributes as needed.
Save your entries.
Assigning Assertion-Based User Attributes
On the Assertion-Based User Attributes tab, choose the Add pushbutton.
Enter the following data:
Parameter |
Entry |
---|---|
SAML2 Attribute |
Name of the attribute as sent by the identity provider in the SAML 2.0 assertion. |
User Attribute |
Name of the AS Java user attribute. Choose from the predefined user attributes list. |
Is Mandatory |
If you want the service provider to require this attribute (reject the SAML assertion if this attribute is missing), select this option. |
Add additional attributes as needed.
Save your entries.
Assigning Assertion-Based User Roles and Groups
SAML 2.0 attributes can also carry information about role or group membership. Based on the value of a SAML 2.0 attribute, the service provider can assign groups or roles to a user. In this way, the administrator of the identity provider can determine the access rights of the users, from the roles and groups you provide.
On the Assertion-Based User Roles tab or the Assertion-Based User Groups tab, choose the Add pushbutton.
Choose the Modify pushbutton
Choose the Add pushbutton.
Enter the following data:
Parameter |
Entry |
---|---|
SAML2 Attribute |
Name of the attribute sent by the identity provider carrying the role or group membership information. |
Value |
Enter the value to map to specific roles or groups. |
Choose the Browse pushbutton.
Search for the role or roles or the group or groups to assign to the user when the assertion includes the SAML 2.0 attribute with the defined value.
Save your entries.
Assigning Default User Roles and Groups
You can assign roles and groups to which all users belong by default. These are in addition to the built-in groups Everyone, Anonymous Users, and Authenticated Users, and any roles assigned to these built-in groups. In this way, you can determine what access rights all users are granted by default.
On the Default User Roles tab or the Default User Groups tab, choose the Modify pushbutton.
Search for groups or roles and choose the Add pushbutton.
Save your entries.