Previous Topic: How To Configure the Relying Party in a Federation Partnership

Next Topic: SAP Web AS User Identification

SiteMinder Agent for SAP Web AS GuideConfiguration for Federation Mode with Federation ManagerUser Identification Based on an Assertion Attribute

User Identification Based on an Assertion Attribute

The User Identification step lets you specify what identity attribute in the assertion the relying party uses to find users in its user store. Locating the user in the user directory is the process of disambiguation.

For the SiteMinder Agent for SAP Web AS, the user identity is that of the user on the SAP Web AS system. This user identity is the one you want to assert to the SAP Web AS.

Select one of the following methods for the user identification process:

Name ID

Instructs the relying party to use the value of the NameID element in the assertion to locate the correct user record.

Select Attribute

Instructs the relying party to use the value of a specific attribute from the assertion. This option tells the relying party to use attributes from the assertion to locate the correct user record. These attributes are defined at the asserting party and included in the assertion. The relying party must know what attributes the asserting party is going to send in assertion. You can use this option, for example, if the Name ID is transient and changes regularly.

Select a predefined attribute from the drop-down list or enter an attribute directly in the text box. This list is populated if the remote asserting entity was created based on metadata that contained attributes.

Specify Xpath

Instructs the relying party to use information from the assertion that the Xpath search string defines. For example, you can configure the relying party to look for the entityID and use that attribute to locate a user record. After you determine which attribute is extracted from the assertion, include the attribute in a search specification thatFederation Manager uses to locate a user in the user store.

After a successful disambiguation process, Federation Manager generates a session for the user.

After disambiguation, Federation Manager must pass one attribute from the user directory record to the SAP Web AS. This attribute identifies a valid SAP Web AS user. Federation Manager passes this attribute in an identity cookie, named the FEDPROFILE cookie. Configure which attribute from the user directory record that Federation Manager uses according to the information in SAP Web AS User Identification.