FederationFederation Security Services GuideSAML Affiliations Reference › SAML Affiliation Dialog--Users Tab

Previous Topic: SAML Affiliation Dialog--Name IDs Tab

Next Topic: SAML Service Providers Tab

SAML Affiliation Dialog--Users Tab

For the entity acting only as an Identity Provider, the information on the Users tab is not relevant. You do not have to complete the fields on this tab.

If the entity is acting as an Identity Provider and a Service Provider, then the information on the Users tab is used when this system is acting as a Service Provider. As a Service Provider, it uses the information to obtain information from an incoming SAML 2.0 assertion to locate a user record and authenticate the user.

User Disambiguation Group Box

Xpath Query

Specifies an XPath query that the authentication scheme applies to the assertion to obtain the LoginID.

The default XPath query used when none is configured, is:

/Assertion/Subject/NameID/text()

Example:

To obtain the an attribute called “FirstName” from the assertion for authentication, the XPath query is:

/Assertion/AttributeStatement/Attribute[@Name=”FirstName”]/AttributeValue/text()

To extract the text of first Username element in the SAML assertion, use the abbreviated syntax "//Username/text()"

Namespace

Displays a selectable list of namespace types and defined search specifications from which you can select namespace (user directory) and then define a search specification for user disambiguation.

Edit

Opens the Authentication Scheme Namespace Mapping dialog where you can enter a Search Specification which defines the attribute that the authentication scheme uses to search a namespace in the Namespace list.

SiteMinder Authentication Scheme Namespace Mapping dialog

The Authentication Scheme Namespace Mapping dialog is where you specify the attribute that the authentication scheme uses to search a namespace.

Search Specification

Specifies the attribute that the SAML 2.0 authentication scheme uses to search a namespace. Use %s as the entry representing the LoginID.

For example, the LoginID is user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is checked against the user store to find the correct record for authentication.

More Information:

Specify Users for Disambiguation for SAML Affiliations