|
|
|
As part of a single sign-on request, a Service Provider can generate an AuthnRequest that includes an attribute named AllowCreate, which is set to true. The Service Provider wants to obtain an identity for the user. Upon receiving the AuthnRequest, the Identity Provider generates an assertion. The Identity Provider searches the appropriate user record for the assertion attribute serving as the Name ID. If the Identity Provider cannot find a value for the NameID attribute, it generates a persistent identifier, assuming the Allow/Create feature is enabled.
The persistent identifier is a randomly generated ID. The Identity Provider uses this identifier as the value of the Name ID attribute and places it in the assertion. The Identity Provider then returns the assertion to the Service Provider. For example, if the NameID attribute is set to telephone and there is no value for telephone in the user record, the NameID is set to the randomly generated identifier.
When the Service Provider receives the assertion, the SAML 2.0 authentication scheme processes the response and performs a user lookup in its local user store. If the Service Provider locates the user record, it grants the user access.
Enable the Allow/Create feature at the Identity Provider for the Identity Provider to generate a unique identifier. If you do not configure the feature, the Identity Provider does not generate the identifier. The normal flow of assertion generation continues after an entry is made in the Identity Provider log file that a unique identifier was not created.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |