CA SiteMinder® Federation Standalone Guide › Application Integration at the Relying Party › Dynamic Provisioning of a User Identity at the Relying Party › Local Account Linking for Provisioning › Configure Local Account Linking (SAML 2.0)

Configure Local Account Linking (SAML 2.0)

Implementing the local account linking method of provisioning requires configuration at the Identity Provider and Service Provider.

To configure local account linking at the Identity Provider

1. Access the partnership wizard and navigate to the Assertion Configuration step in the partnership wizard.
2. Configure the required fields in the Name ID group box.

   In these fields is where you determine the attribute used for the NameID in the assertion.

   Note: Click Help for a description of fields, controls, and their respective requirements.

3. Select the Allow Creation of User Identifier check box.
4. Select the Confirm step the Partnership wizard and click Finish to save your changes.

Configuration at the Identity Provider is complete.

To configure local account linking at the Service Provider

1. Access the Partnership wizard and navigate to the User Identification step.
2. In the Choose Identity Attribute from Assertion group box:
   • Select NameID as the attribute from the assertion used for identification.
   • Select Allow IDP to create user identifier.
3. Enter a value for the Search Specification field.

   The Search Specification value is the attribute CA SiteMinder® Federation Standalone uses to look up the user and to store the persistent identifier sent from the IdP. For example, if buyerID should store the value of the NameID, set the string to buyerID=%s.

4. Navigate to the Application Integration step.
5. Select Local Account Linking for the Provisioning Type field in the User Provisioning section of the dialog.

   Selecting this option automatically configures the User Not Found URL to the linkaccount.jsp page with a method of POST. This URL is where CA SiteMinder® Federation Standalone redirects the user after the first failed authentication attempt.

6. (Optional) Customize the linkaccount.jsp file to provide a custom user experience when the user is redirected after a failed authentication attempt. This file must POST the accountlinking and samlresponse parameters back to the Assertion Consumer Service. The accountlinking parameter must be set to yes. The page is in federation_install_dir/secure-proxy/Tomcat/webapps/affwebservices/public.
7. Select the Confirm step in the Partnership wizard and click Finish to save your changes.