Configuring Out-of-Band Account Linking

The service provider defines which name ID format it requires in the SAML authentication request it forwards to the identity provider. So long as the identity provider supports this name ID format, it returns the requested information in the SAML response, including any attributes. Identity federation is the mapping of the requested information to the information provided by the identity provider. Without this mapping, no federation can exist.

Prerequisites

You have trusted an identity provider.

For more information, see Trusting an Identity Provider.

Procedure

Start the SAML 2.0 configuration application (transaction SAML2).
On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.
On the Identity Federation tab, choose the Add pushbutton.

Choose a name ID format and source.

The service provider requests the name ID format from the trusted identity provider. When the service provider receives the SAML response, the service provider uses the source to determine where it searches for the user based on the string returned by the identity provider. If the search does not return a unique result, logon fails.

Exception: Transient and persistent name ID formats offer more possibilities.

Name ID Formats for Out-of-Band Account Linking
Name ID Format	Source	Description
`E-mail`	E-mail address	Searches for the user based on the e-mail address
`Kerberos`	Mapping in `USREXTID` table	Searches for the user in the `USREXTID` table
`Persistent`	Mapping in `SAML2_PIDFED` table	Searches for the user in the `SAML2_PIDFED` table Note The `Persistent` name ID format allows for other configuration options when not using out-of-band account linking. For more information, see Configuring Identity Federation with Persistent Pseudonyms. End of the note.
`Unspecified`	Logon ID	Searches for the user based on the logon ID
	Logon alias	Searches for the user based on the logon alias
	Mapping in `USREXTID` table	Searches for the user in the `USREXTID` table
`Windows Name`	Mapping in `USREXTID` table	Searches for the user in the `USREXTID` table
`X509 Subject Name`	Mapping in `USREXTID` table	Searches for the user in the `USREXTID` table

Save your entries.
Make sure users have data for the source the service provider searches:
- For the E-mail name ID format, make sure each user has an e-mail address in their user account. Use transaction SU01.
- For name ID formats that use the USREXTID table, configure the mapping between the external ID you expect from the identity provider and the user.
  For more information, see Mapping Users in Table USREXTID.
- For the logon ID and logon alias of the Unspecified name ID format, use transaction SU01 to edit these attributes of the user account.
- For the Persistent name ID format, we do not recommend that you maintain the SAML2_PIDFED table manually, but use automatic account linking.
For more information about how to check name IDs on the service provider, see Managing Name IDs.
Configure the identity provider to provide the name ID required to result in a 1:1 match.
For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.

Example

Donna Moore has configured her service provider to require the E-mail name ID format. A trusted identity provider sends her service provider a SAML response with Laurent.Becker@example.com as the subject. The service provider searches for a user with that value as an e-mail address. If the result is a single user, logon succeeds.

Laurent Becker has a different user ID on the service provider and the identity provider, but his e-mail address is the same in both systems. A simple mapping would be to have the identity provider use the E-mail name ID format, too.

Imagine that the identity provider uses the e-mail address for the user ID and does not use an attribute for e-mail. Then the identity provider would use the Unspecified name ID format to return the user ID. Donna must reconfigure her service provider to match. If the identity provider cannot support the E-mail name ID format, Donna must configure the service provider to request the Unspecified name ID format and maintain the mapping of e-mail address to user ID in the USREXTID table.