|
|
|
When you configure an authentication scheme, you specify how to look up a user in the local user store. After the correct user is located, the system generates a session for that user. Locating the user in the user store is the process of disambiguation. How Federation Security Services disambiguates a user depends on the configuration of the authentication scheme.
For successful disambiguation, the authentication scheme first determines a LoginID from the assertion. The LoginID is a SiteMinder-specific term that identifies the user. By default, the LoginID is extracted from the Name ID value in the assertion; however, you can also obtain the LoginID by specifying an Xpath query.
After the authentication scheme determines the LoginID, Federation Security Services looks at the search specification configured for the authentication scheme. For SAML 1.x deployments, a search specification is required. The LoginID is not passed back to the Policy Server. Instead, the value of the search specification is used to locate the correct user in the user store.
The disambiguation process involves two steps:
Note: The use of Xpath is optional.
| Copyright © 2011 CA. All rights reserved. | Email CA Technologies about this topic |