As part of the configuration at the asserting party, include a list of users and groups for which the Assertion Generator generates SAML assertions. The asserting party is either a SAML 1.x Producer, a SAML 2.0 Identity Provider, or a WS Federation Account Partner.
Note: You can only add users and groups from directories that are in an affiliate domain.
To specify users and groups for federated transactions
The User Directories page displays entries for each user directory for the policy domain.
In each user directory table, you can select Add Members, Add Entry, Add All. Depending on which method you select, a dialog opens enabling you to add users.
Note:
Edit or delete a user or group by clicking the right arrow (>) or minus sign (-), respectively.
The User Directories page reopens and lists the new users in the user directory table.
You can exclude users or groups of users from obtaining an assertion.
Follow these steps:
The selection is reflected in the Administrative UI.
LDAP user directories can contain groups that have subgroups. In complex directories, groups nesting in a hierarchy of other groups is one way to organize large amounts of user information.
If you enable a search for users in nested groups, any nested group is searched for the requested user record. If you do not enable nested groups, the Policy Server only searches the group you specify.
To enable searching in nested groups
If the associated affiliate domain contains more than one user directory, each user directory appears in its own section.
When you specify users for assertion generation, one of the options is to identify users by manual entry.
Follow these steps:
If the affiliate domain contains more than one user directory, all the directories appear on the User Directories page.
The User Directory Search Express Edit page displays.
For LDAP directories, select an option from the drop-down list:
LDAP search locates this DN in the directory.
LDAP search is limited to matches in user entries.
LDAP search is limited to matches in group entries.
LDAP search is limited to matches in organization entries.
LDAP search is limited to matches in user, group, and organization entries.
For Microsoft SQL Server, Oracle and WinNT directories, enter a user name in the Manual Entry field.
For a Microsoft SQL Server or Oracle, you can enter a SQL query instead. For example:
SELECT NAME FROM EMPLOYEE WHERE JOB =’MGR’;
The Policy Server performs the query as the database user specified in the Username field of the Credentials and Connection tab for the user directory. When constructing the SQL statement for the Manual Entry field, be familiar with the database schema for the user directory. For example, if you are using the SmSampleUsers schema and you want to add specific users, select a user entry from the SmUser table.
Note: For an LDAP directory, enter all in the Manual Entry field to add all directory entries.
Copyright © 2013 CA.
All rights reserved.
|
|