When a service provider receives an assertion from a trusted identity provider, the service provider tries to identify the user. The service provider can be configured to take one of the following actions:
Accept that the assertion contains a valid user and authenticate the user locally with a temporary identity and account. As soon as the user logs out, the account and identity are destroyed.
Use the attributes in the assertion to match a user in the local user store. When you want the service provider to take this action, you need to create a user matching expression.
Use the attributes in the assertion to match a user in the local user store and when the match fails, create an account (called provisioning) for the user in the local user store of the service provider. When you want the service provider to take this action, you need to create a user matching expression.
The user matching expression is used to format a query to the user store based on attributes received in the assertion from the identity provider. This query must return a match for one user.
If the query returns a match for multiple users, the request fails and the user is denied access.
If the query fails to find a match and you have selected provisioning, the service provider uses the attributes to create an account for this user in its user store. If you haven’t selected provisioning, the request fails and the user is denied access.
The user matching expression defines the logic of the query. You must know the LDAP attributes that are used to name the users in the user store in order to create the user’s distinguished name and uniquely identify the users.
For example, if the service provider user store uses the email attribute to identify users, the identity provider should be configured to send the email attribute. The service provider would use this attribute in a user matching expression to find the user in the user store. If a match is found, the user is granted access. If the user is not found, that attribute can be used to create an account for the user. The assertion must contain all the attributes that the user store requires to create an account.
To create a user matching expression:
In the Administration Console, click
> > > .Click
, or click the name of an existing user matching expression.Specify a name for the user lookup expression.
Click the
icon (plus sign), then select attributes to add to the logic group. (Use the Shift key to select several attributes.)Click
.To add logic groups, click
.The
drop-down (AND or OR) applies only between groups. Attributes within a group are always the opposite of the type selection. For example, if the value is AND, the attributes within the group are OR.Click the
icon (plus sign) to add attributes to the next logic group, then click .Click
.(Conditional) If you selected attributes from the Custom, Employee, or Personal profile, you need to enable the profile so that the attribute can be shared:
Click
> > > .Select the profiles that need to be enabled, then click
.Click
, then update the Identity Server.