Show TOC

Procedure documentationMapping SAML 2.0 Attributes for Transient Users Locate this document in the navigation structure

 

The Security Assertion Markup Language (SAML) 2.0 assertion should include all the attributes you need to map the transient user to the service user on the service provider. Exactly what is transported is a matter of negotiation between you and the operator of the identity provider. The identity provider sends the attributes as attribute=value pairs. You need to know the name of the SAML 2.0 attribute and what kind of value it carries so you can map it to the appropriate service user. Use this procedure to map service users to SAML 2.0 attributes.

Prerequisites

  • You have configured the service provider to trust an identity provider and use the transient name ID format.

    For more information, see Configuring Identity Federation with Transient Users.

  • You have negotiated with the administrator of the identity provider, what SAML 2.0 attributes you can expect to receive.

  • You have created any service users on the service provider to match all possible combinations of SAML attributes and values.

    If the service provider receives an assertion for a user that does not match a particular service user, the service user rejects the assertion, unless you have configured a default service user.

    The service users used for mapping must be service users (type S) or dialog users (type A).

Procedure

  1. Under Service User Mapping, choose the Add pushbutton.

  2. Enter the name of a service user.

  3. Choose the Modify Condition pushbutton.

  4. Define the combination of SAML 2.0 attributes and values that map to the user you chose.

    1. Choose the Add pushbutton.

    2. Enter the following data:

      Parameter

      Entry

      SAML 2.0 Attribute

      Name of the attribute as sent by the identity provider in the SAML 2.0 assertion.

      Value

      The value the attribute must have to map the transient user to the service user.

    3. Add additional attributes and values as needed.

  5. Save your entries.

  6. Add additional users as needed.

  7. Sort the service users.

    The service provider checks the conditions for choosing a service user in order. The service provider takes the service user matching for the first set of conditions that match.

    • If no user matches, the service provider takes the default service user.

    • If no default service user is configured, the service provider refuses the assertion.

More Information

Example of Transient Federation