Federation Manager Guide › Federation Partnerships › User Identification (Relying Party)

User Identification (Relying Party)

Part of the relying party configuration requires that you specify a method by which Federation Manager locates a user in the local user directory. Locating the user in the user directory is the process of disambiguation. You configure the identity attribute for user disambiguation in the User Identification dialog.

Federation Manager can employ one of the following methods for the disambiguation process:

• Extract the Name ID value from the assertion.
• Use the value of a specific attribute from the assertion.
• Use the value obtained by an Xpath query.

  The Xpath query locates and extracts an attribute other than the Name ID from the assertion.

After determining which attribute is extracted from the assertion, you include this attribute in a search specification, which Federation Manager uses to locate a user in the user store. After a successful disambiguation process, Federation Manager generates a session for the user.

In the User Identification dialog you can also configure the SAML 2.0 Allow/Create feature, which lets an asserting party create a user identifier at the request of the relying party.

Single sign-on can be initiated by the relying party sending an authentication request (AuthnRequest) to the asserting party. In this request, the relying party can ask that the asserting party include a particular user attribute in the assertion. However, the value of the required attribute may not be available in the asserting party user record.

If the authentication request from the relying party includes the Allow/Create attribute and the asserting party is configured to create a new identifier, the asserting party generates a unique value as the NameID. This value is placed in the assertion and sent back to the relying party.

To configure user identification at the relying party

Note: You can click Help for a description of fields, controls, and their respective requirements.

1. Select one of the following attributes:
   • Name ID
   • An attribute from a previously populated drop-down list

     If the remote asserting entity was created based on metadata that contained attributes, the list is populated.

   • An attribute you enter

     This option is most likely used when metadata is not available and the remote asserting entity does not include any attributes.

   • An Xpath
2. (Optional—SAML 2.0 only) Select Allow IDP to create user identifier.

   This attribute instructs the asserting party to generate a new value for the NameID, if this feature is enabled at the asserting party. The Name ID format configured at the asserting party must be a persistent identifier. This new value for the NameID is included in the assertion that the asserting party returns to the relying party.

3. Specify an LDAP or ODBC search specification. If both directories are present, configure search specifications for both.
   • LDAP Example

     ou=%s,o-ca

   • ODBC Example

     name=%s

4. Click Next to continue with partnership configuration.