Previous Topic: Create a Custom SAML 2.0 Authentication Scheme (optional)Next Topic: Use a SAML Affiliation to Locate a User Record (Optional)


Look Up User Records for SAML 2.0 Authentication

When you configure an authentication scheme, you define a way for the authentication scheme to look up a user in the local user store. After the correct user is located, the system generates a session for that user. Locating the user in the user store is the process of disambiguation. How Federation Security Services disambiguates a user depends on the configuration of the authentication scheme.

For successful disambiguation, the authentication scheme first determines a LoginID from the assertion. The LoginID is a SiteMinder-specific term that identifies the user. By default, the LoginID is extracted from the Name ID in the assertion. You can also obtain the LoginID using an Xpath query.

After the authentication scheme determines the LoginID, Federation Security Services checks if a search specification is configured for the authentication scheme. If no search specification is defined for the authentication scheme, the LoginID is passed to the Policy Server. The Policy Server uses the LoginID together with the user store search specification to locate the user. For example, the LoginID value is Username and the LDAP search specification is set to the uid attribute. The Policy Server searches for the user based on the uid value (Username=uid).

If you configure a search specification for the authentication scheme, the LoginID is not passed to the Policy Server. Instead, the search specification is used to locate a user.

You can configure user disambiguation in one of two ways:

More Information:

Configure Disambiguation Locally as Part of the Authentication Scheme

Use a SAML Affiliation to Locate a User Record (Optional)