|
|
|
As part of a single sign-on request, a Service Provider may request a particular user attribute to be included the assertion at the Identity Provider; however, the value of the required attribute may not be available in the user record at the Identity Provider.
You can enable the Service Provider to include the Allow/Create attribute as part of its AuthnRequest message to the Identity Provider. When a request is received at the Identity Provider, this attribute, together with the corresponding feature enabled at the Identity Provider, instructs the Identity Provider to generate a new, unique value for the NameID if it cannot find the requested attribute in its user store. This value is then included in the assertion sent back to the Service Provider.
When the Service Provider receives the assertion, the SAML 2.0 authentication scheme processes the response, performs a user lookup in its local user store, and, if the Service Provider locates the user record in its user store, it grants the user access.
If the Identity Provider is not configured to create a new identifier, it will not generate a unique identifier, regardless of whether an Allow/Create attribute is part of an AuthnRequest message. In this case, the normal flow of assertion generation continues after an entry is made in the Identity Provider log files that a unique identifier was not created.
For a unique identifier to be generated, the Allow/Create feature must be configured at both sites.
| Copyright © 2010 CA. All rights reserved. | Email CA about this topic |