Federation Guides › Legacy Federation Guide › Configure a WS-Federation Account Partner › Select Users for Which Assertions are Generated

Select Users for Which Assertions are Generated

As part of the configuration at the asserting party, include a list of users and groups for which the Assertion Generator generates SAML assertions. The asserting party is either a SAML 1.x Producer, a SAML 2.0 Identity Provider, or a WS Federation Account Partner.

You can only add users and groups from directories that are in an affiliate domain.

To specify users and groups for federated transactions

1. Navigate to the Users settings for the partner you are configuring.

   The User Directories page displays entries for each user directory for the policy domain.

2. Add users or groups from the user directory to the policy.

   In each user directory table, you can select Add Members, Add Entry, Add All. Depending on which method you select, a dialog opens enabling you to add users.

   • If you select Add Members, the User/Groups pane opens. Individual users are not displayed automatically. Use the search utility to find a specific user within one of the directories.
   • If you select Add Entry, select users by manual entry in the User Directory Search Expression Edit dialog.

   Edit or delete a user or group by clicking the right arrow (>) or minus sign (-), respectively.

3. Select individual users, user groups, or both using whatever method and click OK.

   The User Directories page reopens and lists the new users in the user directory table.

More information:

Exclude a User or Group from Access to a Resource

Allow Nested Groups Access to Resources

Add Users by Manual Entry

Exclude a User or Group from Access to a Resource

You can exclude users or groups of users from obtaining an assertion.

Follow these steps:

1. Navigate to the User settings.
2. Select a user or group from the list for a particular user directory.
3. Click Exclude to exclude the selected user or group.

   The selection is reflected in the Administrative UI.

4. Click OK to save your changes.

Allow Nested Groups Access to Resources

LDAP user directories can contain groups that have subgroups. In complex directories, groups nesting in a hierarchy of other groups is one way to organize large amounts of user information.

If you enable a search for users in nested groups, any nested group is searched for the requested user record. If you do not enable nested groups, the Policy Server only searches the group you specify.

To enable searching in nested groups

1. Navigate to the Users settings.

   If the associated affiliate domain contains more than one user directory, each user directory appears in its own section.

2. Select the Allow Nested Groups check box to enable searching within nested groups.

Add Users by Manual Entry

When you specify users for assertion generation, one of the options is to identify users by manual entry.

Follow these steps:

1. Navigate to the Users settings for the partner you are configuring.

   If the affiliate domain contains more than one user directory, all the directories appear on the User Directories page.

2. Click Add Entry.

   The User Directory Search Express Edit page displays.

3. Select the search option then complete the fields for that search option.

   Where to Search

   For LDAP directories, select an option from the drop-down list:

   Validate DN

   LDAP search locates this DN in the directory.

   Search Users

   LDAP search is limited to matches in user entries.

   Search Groups

   LDAP search is limited to matches in group entries.

   Search Organizations

   LDAP search is limited to matches in organization entries.

   Search Any Entry

   LDAP search is limited to matches in user, group, and organization entries.

   • For Microsoft SQL Server, Oracle and WinNT directories, you can enter a user name in the Manual Entry field.
   • For a Microsoft SQL Server or Oracle, you can enter a SQL query instead. For example:

     SELECT NAME FROM EMPLOYEE WHERE JOB =’MGR’;

     The Policy Server performs the query as the database user specified in the Username field of the Credentials and Connection tab for the user directory. When constructing the SQL statement for the Manual Entry field, be familiar with the database schema for the user directory. For example, if you are using the SmSampleUsers schema and you want to add specific users, select a user entry from the SmUser table.

   • For an LDAP directory, enter all in the Manual Entry field to add all directory entries.
4. Click OK to save your changes.