Previous Topic: How to Configure a SAML 2.0 Authentication SchemeNext Topic: Configure Single Sign-on at the SP


Locate User Records for SAML 2.0 Authentication

When you configure an authentication scheme, you define a way for the authentication scheme to look up a user in the local user store. After the correct user is located, the system generates a session for that user. Locating the user in the user store is the process of disambiguation. How CA SiteMinder® disambiguates a user depends on the configuration of the authentication scheme.

For successful disambiguation, the authentication scheme first determines a LoginID from the assertion. The LoginID is a CA SiteMinder®-specific term that identifies the user. By default, the LoginID is extracted from the Name ID in the assertion. You can also obtain the LoginID using an Xpath query.

After the authentication scheme determines the LoginID, CA SiteMinder® checks if a search specification is configured for the authentication scheme. If no search specification is defined for the authentication scheme, the LoginID is passed to the Policy Server. The Policy Server uses the LoginID together with the user store search specification to locate the user. For example, the LoginID value is Username and the LDAP search specification is set to the uid attribute. The Policy Server uses the uid value (Username=uid) to locate the user.

If you configure a search specification for the authentication scheme, the LoginID is not passed to the Policy Server. Instead, the search specification is used to locate a user.

You can configure user disambiguation in one of two ways:

Configure Disambiguation Locally as Part of the Authentication Scheme

If you choose to disambiguate locally, there are two steps in the process:

  1. Obtain the LoginID by the default behavior or by using an Xpath query.
  2. Locate the user in the user store by the default behavior or defining a user lookup.

Note: The use of Xpath and a search specification are optional.

Obtain the LoginID

You can find the LoginID in two ways:

To use an Xpath query to determine the LoginID

  1. Navigate to the SAML 2.0 authentication scheme.
  2. Click SAML 2.0 Configuration.
  3. From the SAML 2.0 properties page, enter an Xpath query that the authentication scheme uses to obtain a LoginID.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

    Xpath queries must not contain namespace prefixes. The following example is an invalid Xpath query:

    /saml:Response/saml:Assertion/saml:AuthenticationStatement/
    saml:Subject/saml:NameIdentifier/text()
    

    The valid Xpath query is:

    //Response/Assertion/AuthenticationStatement/Subject/
    NameIdentifier/text()
    
  4. Click OK to save your configuration changes.
Configure a User Lookup to Locate a User

After you obtain the LoginID, you can configure a user lookup to locate the user in place of the default behavior, where the LoginID is passed to the Policy Server.

To locate a user with a search specification

  1. Navigate to the SAML 2.0 authentication scheme.
  2. Click SAML 2.0 Configuration.
  3. In the User Lookup section, enter a search specification in the appropriate namespace field. The search specification defines the attribute that the authentication scheme uses to search a namespace. Use %s as the entry representing the LoginID.

    For example, the LoginID has a value of user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is verified against the user store to find the correct record for authentication.

    Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

  4. Click OK to save your configuration changes.
Use a SAML Affiliation to Locate a User Record (Optional)

A group of Service Providers can form an affiliation. Grouping Service Providers establishes an association across the federated network, such that a relationship with one member of an affiliation establishes a relationship with all members of the affiliation.

All Service Providers in an affiliation share the name identifier for a single principal. If one Identity Provider authenticates a user and assigns that user an ID, all members of the affiliation use that same name ID. The single name ID reduces the configuration that is required at each Service Provider. Additionally, using one name ID for a principal saves storage space at the Identity Provider.

You can use the optional Xpath query and search specification for user disambiguation. These options are defined as part of the affiliation itself and not part of the authentication scheme.

Note: Define an affiliation first before using it in an authentication scheme configuration.

To select an affiliation

  1. Navigate to the SAML 2.0 authentication scheme page.
  2. Click SAML 2.0 Configuration.
  3. In the General settings.
  4. In the User Disambiguation section, select a predefined affiliation in the SAML Affiliation drop-down field. These affiliations are configured at the Identity Provider.