CA SiteMinder® Federation Standalone Guide › Federated User Identification for a Partnership › User Identification at the Relying Party › Configure User Identification at the Relying Party

Configure User Identification at the Relying Party

Configure user identification so the relying party has a method of locating a user in the local user directory.

Follow these steps:

Note: Click Help for a description of fields, controls, and their respective requirements.

1. Select one of the following attributes:
   • Name ID
   • An attribute from a previously populated drop-down list

     If the remote asserting entity was created based on metadata that contained attributes, the list is populated.

   • An attribute you enter

     This option is most likely used when metadata is not available and the remote asserting entity does not include any attributes.

   • An Xpath
2. (Optional—SAML 2.0 only) Select Allow IDP to create user identifier.

   This attribute instructs the asserting party to generate a new value for the NameID, if this feature is enabled at the asserting party. The Name ID format configured at the asserting party must be a persistent identifier. This new value for the NameID is included in the assertion that the asserting party returns to the relying party.

3. Specify an LDAP or ODBC search specification. If both directories are present, configure search specifications for both.

   LDAP Example

   ou=%s,o-ca

   ODBC Example

   name=%s

   In the ODBC search specification field, the value from the user store that replaces the %s in the search string can contain an equals sign (=). If the value contains an equals sign, prepend the value user= at the beginning of the entry. For example, if the value for ElectronicMail in the user store is CN=catechnologies, enter user=ElectronicMail=%s in the ODBC search specification field. The addition of user= enables the policy engine to interpret the string properly.

4. (Optional) Configure the CA SiteMinder® Connector settings:
   1. If CA SiteMinder® Federation Standalone is integrating with an existing SiteMinder deployment, enable the CA SiteMinder® Connector by selecting the check box.
   2. (Optional) Clear the Enforce UserDN and Directory Name Comparison so that the CA SiteMinder® Federation Standalone or CA SiteMinder® uses a Universal ID to retrieve a user record. The Universal ID enables the user directories to be physically different and of different types. Use of the Universal ID is sufficient to regard the retrieved user record as the correct record.

      Note: If you rely on the Universal ID, each user must have a unique Universal ID. If the Universal IDs are not unique, the system accessing the user record can retrieve the wrong record.

      If you leave the check box selected (the default), CA SiteMinder® Federation Standalone and CA SiteMinder® must use the same physical directory. The name for both of these directories must be the same for user store lookups. The entity authenticating the user compares the information that the user provides against the UserDN and the Directory Name of the user record.

5. Click Next to continue with partnership configuration.

Employ AllowCreate for User Identification (SAML 2.0)

The SAML 2.0 AllowCreate feature is an optional setting in the User Identification configuration at the SP. Including an AllowCreate attribute in an authentication request lets an Identity Provider create a user identifier for the SP.

An SP can initiate single sign-on by sending an authentication request to the Identity Provider. As part of the request, a Service Provider can include an attribute named AllowCreate, which is set to true. The Service Provider wants to obtain an identity for the user. Upon receiving the AuthnRequest, the Identity Provider generates an assertion. The Identity Provider searches the appropriate user record for the assertion attribute serving as the Name ID. If the Identity Provider cannot find a value for the NameID attribute, it generates a unique persistent identifier for the NameID. Enable the Allow/Create feature at the Identity Provider for it to generate the identifier. The Identity Provider returns the assertion with the unique identifier back to the SP.

You can enable an AllowCreate query parameter to supersede the value of the AllowCreate attribute. Use of a query parameter lets you override the configured AllowCreate setting without deactivating, editing, and reactivating the partnership. The query parameter makes the implementation of the feature more flexible.