Federation Security Services Guide › Configure SiteMinder as a SAML 2.0 Service Provider › Look Up User Records for SAML 2.0 Authentication › Configure Disambiguation Locally as Part of the Authentication Scheme › Obtain the LoginID

Obtain the LoginID

You can find the LoginID in two ways:

• Relying on the default behavior, where the LoginID is extracted from the NameID in the assertion. This option requires no configuration.
• Using an Xpath query to find the LoginID in place of the default behavior.

To use an Xpath query to determine the LoginID

1. From the Authentication Scheme Properties dialog, click Additional Configuration.

   The SAML 2.0 Auth Scheme Properties dialog opens.

2. Select the Users tab.

   The Users tab specifies who has access to protected resources at the Service Provider. Access to resources at the Service Provider is based on SiteMinder policies.

3. Enter an Xpath query that the authentication scheme uses to obtain a LoginID.

   Note: Click Help for descriptions of settings and controls, including their respective requirements and limits.

   Xpath queries must not contain namespace prefixes. The following example is an invalid Xpath query:

   /saml:Response/saml:Assertion/saml:AuthenticationStatement/
   saml:Subject/saml:NameIdentifier/text()
   

   The valid Xpath query is:

   //Response/Assertion/AuthenticationStatement/Subject/
   NameIdentifier/text()
   

4. Click OK to save your configuration changes.