Federation Security Services Guide › Authenticate SAML 2.0 Users at the Service Provider › Configure User Disambiguation for User Look Ups › Configure Disambiguation Locally as Part of the Authentication Scheme › Obtain the LoginID

Obtain the LoginID

You can find the LoginID in two ways:

• Relying on the default behavior, where the LoginID is extracted from the NameID in the assertion. This option requires no configuration.
• Using an Xpath query to find the LoginID in place of the default behavior.

To use an Xpath query to determine the LoginID

1. From the Authentication Scheme Properties dialog, click Additional Configuration.

   The SAML 2.0 Auth Scheme Properties dialog opens.

2. Select the Users tab.

   The Users tab specifies who has access to protected resources at the Service Provider. Access to resources at the Service Provider is based on SiteMinder policies.

3. Enter an Xpath query that the authentication scheme uses to obtain a LoginID.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   Xpath queries should not contain namespace prefixes. The following is an invalid Xpath query:

   /saml:Response/saml:Assertion/saml:AuthenticationStatement/
   saml:Subject/saml:NameIdentifier/text()
   

   The valid Xpath query is:

   //Response/Assertion/AuthenticationStatement/Subject/
   NameIdentifier/text()
   

4. Click OK to save your configuration changes.