11.2 Defining User Identification for SAML 1.1

11.2.1 Selecting a User Identification Method for SAML 1.1

Two methods exist for identifying users from an identity provider when using the SAML 1.1 protocol. You can specify that no account matching needs to occur, or you can configure a match method. You configure a match method when you want to use attributes from the identity provider to uniquely identify a user on the service provider.

  1. In the Administration Console, click Devices > Identity Servers > Edit > SAML 1.1 > [Identity Provider] > User Identification.

    SAML 1.1 identity provider authentication configuration

  2. In the Satisfies contract option, specify the contract that can be used to satisfy the assertion received from the identity provider. Because SAML 1.1 does not use contracts and because the Identity Server is contract-based, this setting permits an association to be made between a contract and a SAML 1.1 assertion.

    Use caution when assigning the contract to associate with the assertion, because it is possible to imply that authentication has occurred, when it has not. For example, if a contract is assigned to the assertion, and the contract has two authentication methods (such as one for name/password and another for X.509), the server sending the assertion might use only name/password, but the service provider might assume that X.509 took place and then incorrectly assert it to another server.

  3. Select one of the following options for user identification:

    • Do nothing: Specifies that an identity provider account is not matched with a service provider account. This option allows the user to authenticate the session without identifying a user account on the service provider.

    • Attribute matching: Authenticates a user by matching a user account on the identity provider with an account on the service provider. This option requires that you set up the match method.

      • Prompt for password on successful match: Specifies whether to prompt the user for a password when the user is matched to an account, to ensure that the account matches.

  4. Select one of the following:

  5. Click OK twice.

  6. Update the Identity Server.

11.2.2 Configuring the Attribute Matching Method for SAML 1.1

A user matching expression is a set of logic groups with attributes that uniquely identify a user. User matching expressions enable you to map the Liberty attributes to the correct LDAP attributes during searches. You must know the LDAP attributes that can be used to identify unique users in the user store.

In order to use user matching, the Personal Profile must be enabled. It is enabled by default. If you have disabled it, you need to enable it. See Section 13.2, Managing Web Services and Profiles.

  1. In the Administration Console, click Devices > Identity Servers > Servers > Edit > SAML 1.1 > [Identity Provider] > User Identification.

  2. To configure the match method, click Attribute Matching settings.

    SAML 1.1 User Matching Method

  3. To configure user matching, fill in the following fields:

    Select User Stores to search: Select and order the user stores you want to use in the search.

    User Matching Expression: Select a matching expression, or click New User Matching Expression to create one.

    SAML 1.1 User Matching Expression

    1. In the Name option, specify a name for the matching expression.

    2. Click the Add Attributes icon, then select an attribute.

      The Personal Profile attributes are listed first, then the LDAP attributes.

    3. (Conditional) To add more attributes, click the Add Attributes icon.

    4. Click Finish.

    5. Select the new expression on the User Method Matching page, then click OK.

  4. Click OK twice.

  5. Update the Identity Server.