Federation Security Services Guide › Configure SiteMinder as a Resource Partner › Configure the WS-Federation Authentication Scheme › Obtain a LoginID for a WS-Federation User

Obtain a LoginID for a WS-Federation User

You can find the LoginID in two ways:

• Relying on the default behavior, where the LoginID is extracted from the NameID in the assertion. This option requires no configuration.
• Using an Xpath query to find the LoginID in place of the default behavior.

To use an Xpath query to locate a user record

1. From the Authentication Scheme Properties dialog, click Additional Configuration.

   The WS-Federation Auth Scheme Properties dialog opens.

2. Select the Users tab.

   The Users tab specifies who has access to protected resources at the Resource Partner. Access to resources at the Resource Partner is based on SiteMinder policies.

3. Enter an Xpath query that the authentication scheme uses to obtain a LoginID.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   Xpath queries must not contain namespace prefixes. The following example is an invalid Xpath query:

   /saml:Response/saml:Assertion/saml:AuthenticationStatement/
   saml:Subject/saml:NameIdentifier/text()
   

   The valid Xpath query is:

   //Response/Assertion/AuthenticationStatement/Subject/
   

   NameIdentifier/text()

4. Click OK to save your configuration changes.