|
|
|
Part of the relying party configuration requires that you specify a method by which Federation Manager locates a user in the local user directory. Locating the user in the user directory is the process of disambiguation. You configure the identity attribute for user disambiguation in the User Identification dialog.
Federation Manager can employ one of the following methods for the disambiguation process:
The Xpath query locates and extracts an attribute other than the Name ID from the assertion.
After determining which attribute is extracted from the assertion, you include this attribute in a search specification, which Federation Manager uses to locate a user in the user store. After a successful disambiguation process, Federation Manager generates a session for the user.
In the User Identification dialog you can also configure the SAML 2.0 Allow/Create feature, which lets an asserting party create a user identifier at the request of the relying party.
Single sign-on can be initiated by the relying party sending an authentication request (AuthnRequest) to the asserting party. In this request, the relying party can ask that the asserting party include a particular user attribute in the assertion. However, the value of the required attribute may not be available in the asserting party user record.
If the authentication request from the relying party includes the Allow/Create attribute and the asserting party is configured to create a new identifier, the asserting party generates a unique value as the NameID. This value is placed in the assertion and sent back to the relying party.
In the User Identification dialog, you can also enable the SiteMinder Connector.
The SiteMinder Connector is a software component included with Federation Manager. It enables a deployed SiteMinder system to integrate with Federation Manager. If you integrate SiteMinder and Federation Manager at a relying party, SiteMinder does not rechallenge users authenticated by Federation Manager when they request SiteMinder-protected resources. There is no authentication rechallenge because the Connector and a custom SiteMinder authentication scheme at the Policy Server enable the creation of a SiteMinder session for users authenticated by Federation Manager.
You can enable the SiteMinder Connector on a per-partnership basis; however, only one global SiteMinder Connector configuration applies to all partnerships. The Connector is available only when the check box in the Deployment Settings is selected and a configuration is defined. You access the Deployment Settings from the Infrastructure tab in the UI. After enabling the Connector globally, Federation Manager evaluates the partnership configuration to determine whether the connector is enabled. The partnership uses the global Connector configuration.
To disable the Connector for the partnership, clear the check box at the partnership level. To disable the Connector globally, disable it in the Deployment Settings.
Important! If the Connector is disabled at the global level, Federation Manager ignores the check box at the partnership level.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |