To configure a single use policy
The SAML 2.0 Auth Scheme Properties dialog box opens.
The Enforce Single Use Policy checkbox will also be selected by default.
As part of a single sign-on request, a Service Provider can generate an AuthnRequest that includes an attribute named AllowCreate, which is set to true. The Service Provider wants to obtain an identity for the user. Upon receiving the AuthnRequest, the Identity Provider generates an assertion. The Identity Provider searches the appropriate user record for the assertion attribute serving as the Name ID. If the Identity Provider cannot find a value for the NameID attribute, it generates a persistent identifier. The Allow/Create feature enables the creation of the identifier.
The persistent identifier is a randomly generated ID. The Identity Provider uses this identifier as the value of the Name ID attribute and places it in the assertion. The Identity Provider then returns the assertion to the Service Provider. For example, if the NameID attribute is set to telephone and there is no value for telephone in the user record, the NameID is set to the randomly generated identifier.
When the Service Provider receives the assertion, the SAML 2.0 authentication scheme processes the response. The scheme then performs a user lookup in its local user store. If the Service Provider locates the user record, it grants the user access.
Enable the Allow/Create feature at the Identity Provider for the Identity Provider to generate a unique identifier. The Identity Provider only generates the identifier if the feature is enabled. The normal flow of assertion generation continues after an entry is made in the Identity Provider log file that a unique identifier was not created.
|
Copyright © 2012 CA.
All rights reserved.
|
|