Federation Manager Guide › Federation Partnerships › User Identification (Relying Party) › Configure User Identification

Configure User Identification

Identify the attribute for user disambiguation in the User Identification dialog.

Note: Click Help for a description of fields, controls, and their respective requirements.

To configure user identification at the relying party

1. Select one of the following attributes:
   • Name ID
   • An attribute from a previously populated drop-down list

     If the remote asserting entity was created based on metadata that contained attributes, the list is populated.

   • An attribute you enter

     This option is most likely used when metadata is not available and the remote asserting entity does not include any attributes.

   • An Xpath
2. (Optional—SAML 2.0 only) Select Allow IDP to create user identifier.

   This attribute instructs the asserting party to generate a new value for the NameID, if this feature is enabled at the asserting party. The Name ID format configured at the asserting party must be a persistent identifier. This new value for the NameID is included in the assertion that the asserting party returns to the relying party.

3. Specify an LDAP or ODBC search specification. If both directories are present, configure search specifications for both.

   LDAP Example

   ou=%s,o-ca

   ODBC Example

   name=%s

4. (Optional) Configure the SiteMinder Connector settings:
   1. If Federation Manager is integrating with an existing SiteMinder deployment, enable the SiteMinder Connector by selecting the check box.
   2. (Optional) Clear the Enforce UserDN and Directory Name Comparison so that the Federation Manager or SiteMinder uses a Universal ID to retrieve a user record. The Universal ID enables the user directories to be physically different and of different types. Use of the Universal ID is sufficient to regard the retrieved user record as the correct record.

      Note: If you rely on the Universal ID, each user must have a unique Universal ID. If the Universal IDs are not unique, the system accessing the user record can retrieve the wrong record.

      If you leave the check box selected (the default), Federation Manager and SiteMinder must use the same physical directory. The name for both of these directories must be the same for user store lookups. The entity authenticating the user compares the information that the user provides against the UserDN and the Directory Name of the user record.

5. Click Next to continue with partnership configuration.