7.3 Configuring User Matching Expressions

One of the user identification methods the Identity Server uses when an assertion is received is to query the user store based on attributes received in the assertion from the identity provider. You configure user matching expressions to define the logic of the query. You must know the LDAP attributes that are used to name the users in the user store and create the user’s distinguished name.

In order to use user matching, you must enable the Personal Profile on the identity provider and the service provider. See Section 12.2, Enabling Web Services and Profiles.

  1. In the Administration Console, click Access Manager > Identity Servers > Shared Settings > User Matching Expressions.

  2. Click New, or click the name of an existing user matching expression.

    Name: The name of the user lookup expression.

  3. Click the Add Attributes icon (plus sign), then select attributes to add to the logic group. (Use the Shift key to select several attributes.)

    User matching expressions

  4. Click OK.

  5. To add logic groups, click New Logic Group.

    The Type drop-down (AND or OR) applies only between groups. Attributes within a group are always the opposite of the type selection. For example, if the Type value is AND, the attributes within the group are OR.

  6. Click the Add Attributes icon (plus sign) to add attributes to the next logic group, then click OK.

  7. Click Finish.