10.4 Configuring User Identification Methods for SAML 1.1 Trusted Identity Providers

Two methods exist for identifying users from a trusted identity provider. You can specify that no account matching needs to occur, or you can configure a match method. You configure a match method when you want to use attributes from this trusted identity provider to uniquely identify a user.

  1. In the Administration Console, click Access Manager > Identity Servers > Servers > Edit > SAML 1.1 > [Identity Provider] > Access > Authentication.

    SAML 1.1 identity provider authentication configuration

  2. Configure the following options as necessary:

    Do nothing: Specifies that the service provider does not match user accounts. This option allows you to authenticate the session without identifying a user account.

    Match existing user accounts: Authenticates a user by matching a user account. This option requires that you set up the match method. (See Step 3.)

    Satisfies contract: The contract that is satisfied by the assertion received from the identity provider. Because SAML 1.1 does not use contracts and because the Identity Server is contract-based, this setting permits an association to be made between a contract and a SAML 1.1 assertion.

    Use caution when assigning the contract to associate with the assertion, because it is possible to imply that authentication has occurred, when it has not. For example, if a contract is assigned to the assertion, and the contract has two authentication methods (such as one for name/password and another for X.509), the server sending the assertion might use only name/password, but the service provider might assume that X.509 authentication took place and then incorrectly assert it to another server.

  3. To configure the match method, click User Matching Method.

    SAML 1.1 User Matching Method

  4. To configure user matching, fill in the following fields:

    Select User Stores to search: Select and order the user stores you want to use in the search.

    User Matching Expression: Set the matching expression as the default, or click New to create a look-up expression.

    SAML 1.1 User Matching Expression

    A user matching expression is a set of logic groups with attributes that uniquely identify a user. User matching expressions enable you to map the Liberty attributes to the correct LDAP attributes during searches. You must know the LDAP attributes that are used to name the users in the user store and create the user’s distinguished name.

    In order to use user matching, you must enable the Personal Profile on the identity provider and the service provider. See Section 12.2, Enabling Web Services and Profiles.

  5. Click Finish.

  6. Select the new expression on the User Method Matching page, then click OK.

  7. Click OK on the Authentication page, then click OK on the Trusted Providers page.

  8. Update the Identity Server configuration on the Servers page, as prompted.