Federated Identity Provider Users and Groups

In an identity bridging configuration, the federated users, groups, and virtual groups added to the Federated Identity Provider (FIP) serve to authorize corresponding users, groups, or credential patterns in other trust domains. Each FIP can contain zero or more federated users, groups and/or virtual groups.
gateway83
In an identity bridging configuration, the federated users, groups, and virtual groups added to the Federated Identity Provider (FIP) serve to authorize corresponding users, groups, or credential patterns in other trust domains. Each FIP can contain zero or more federated users, groups and/or virtual groups.
Federated Users
A federated user contains a number of attributes relating to users in other trust domains, including:
  • A DN (distinguished name). The subject of the signed certificate in an incoming request must exactly match the DN of the federated user
  • A login that may be found in the NameIdentifier of an incoming SAML NameIdentifier with the “windowsDomain” format. (SAML credential source only; see Workflow Using SAML)
  • An email address, if applicable, that may be found in the NameIdentifier of an incoming SAML assertion with the “emailAddress” format. (SAML credential source only; see Workflow Using SAML)
  • An X.509 certificate that may be found in an incoming WS-Security X.509 BinarySecurityToken or HTTPS client certificate. (Self-signed or otherwise explicitly trusted; see Workflow Using an X.509 Certificate).
Only request credentials that exactly match the federated user DN and other information will pass the corresponding user assertion that is required to gain web service access.
Federated Groups
Federated groups allow administrators to organize federated users into groups that have local relevance.
Federated Virtual Groups
A federated virtual group is a pattern that incoming request credentials must match. The pattern may include:
  • The subject of a signed certificate
  • A regular expression describing a pattern that the NameIdentifier value in incoming SAML tokens (with the corresponding NameIdentifier format) must match (SAML credential source only; see Workflow Using SAML)
  • A set of attribute names and values that must be present in incoming SAML tokens that have an AttributeStatement. The allowable attribute names must have been previously registered with the FIP. (SAML credential source only; see Workflow Using SAML).
Virtual groups allow authorization of users who are not explicitly defined in the Federated Identity Provider by matching the attributes of the users' credentials. Users authorized in this manner are known as federated virtual users. Virtual groups can also include users explicitly defined in the Federated Identity Provider, though such users are not virtual.
In order to authorize users in a virtual group, a Federated Identity Provider (FIP) must contain the CA root certificate of the issuer of the certificates belonging to the identities in the virtual group. See Add a New Certificate for information on adding a certificate to the trust store.
Federated Virtual Users
A federated virtual user is someone who is authenticated as a member of a federated virtual group by matching attributes of the user's credentials, or someone who is authenticated against the FIP, but whose credentials do not match those of any user explicitly defined in the FIP. Virtual users are not explicitly defined in the Federated Identity Provider (FIP) and will not appear when searching the provider.