One of the user identification methods the Identity Server uses when an assertion is received is to query the user store based on attributes received in the assertion from the identity provider. You configure user matching expressions to define the logic of the query. You must know the LDAP attributes that are used to name the users in the user store and create the user’s distinguished name.
In order to use user matching, you must enable the Personal Profile on the identity provider and the service provider. See Section 12.2, Enabling Web Services and Profiles.
In the Administration Console, click
> > > .Click
, or click the name of an existing user matching expression.Name: The name of the user lookup expression.
Click the
icon (plus sign), then select attributes to add to the logic group. (Use the Shift key to select several attributes.)Click
.To add logic groups, click
.The
drop-down (AND or OR) applies only between groups. Attributes within a group are always the opposite of the type selection. For example, if the value is AND, the attributes within the group are OR.Click the
icon (plus sign) to add attributes to the next logic group, then click .Click
.