FederationFederation Security Services GuideSAML 2.0 Authentication Scheme Properties Reference › SAML 2.0 Auth Scheme Properties Dialog--Users Tab

Previous Topic: SAML 2.0 Auth Scheme Properties Dialog Fields and Controls

Next Topic: SAML 2.0 Auth Scheme Properties Dialog--SSO Tab

SAML 2.0 Auth Scheme Properties Dialog--Users Tab

The Users tab is where you configure how to obtain the user information from a SAML 2.0 assertion and use this information to authenticate a user.

User Disambiguation Group Box

Xpath Query

Specifies an XPath query that the authentication scheme applies to the assertion to obtain the LoginID.

The default XPath query used when none is configured, is:

/Assertion/Subject/NameID/text()

Xpath queries should not contain namespace prefixes. The following is an invalid Xpath query:

/saml:Response/saml:Assertion/saml:AuthenticationStatement/
saml:Subject/saml:NameIdentifier/text()

The valid Xpath query is:

//Response/Assertion/AuthenticationStatement/Subject/

NameIdentifier/text()

Example

To obtain the attribute called “FirstName” from the assertion for authentication, the XPath query is:

/Assertion/AttributeStatement/Attribute[@Name=”FirstName”]/
AttributeValue/text()
Namespace

Displays a selectable list of namespace types and defined search specifications from which you can select namespace (user directory) type and then define a search specification for user disambiguation.

Edit

Opens the Authentication Scheme Namespace Mapping dialog where you can enter a Search Specification which defines the attribute that the authentication scheme uses to search a namespace. Use %s as the entry representing the LoginID.

For example, the LoginID is user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is checked against the user store to find the correct record for authentication.

SAML Affiliation

(Optional) specifies a SAML Affiliation for the Identity Provider to join. Select from any configured SAML Affiliation object. If an Affiliation is selected, the remaining controls are dimmed and the Affiliation settings are used instead.

User Disambiguation Group Box

The Authentication Scheme Namespace Mapping dialog box is where you specify the attribute that the authentication scheme uses to search a namespace.

Search Specification

Specifies the attribute that the SAML 2.0 authentication scheme uses to search a namespace. Use %s in the entry as a variable representing the LoginID.