SAML 2.0 Authentication Scheme--General Settings

The General settings for the SAML 2.0 authentication scheme determine how the Service Provider communicates with the Identity Provider to retrieve the assertion.
casso10
HID_sp-authscheme-general
The General settings for the SAML 2.0 authentication scheme determine how the Service Provider communicates with the Identity Provider to retrieve the assertion.
The fields on this page are:
  • SP ID
    Specifies a URI that uniquely identifies the Service Provider.
    Enter a value that matches the value of the ID specified for the corresponding Service Provider object, which is configured at the Identity Provider.
  • SAML Version
    Specifies the SAML version (disabled; the value defaults to 2.0, indicating that assertions sent to this IdP ID must be compliant with SAML version 2.0).
  • IdP ID
    Specifies a URI that uniquely identifies the Identity Provider from which assertions for this Service Provider are issued.
    The Service Provider accepts assertions from only this IdP.
    The value that you enter for the issuer must match the value of the IdP ID configured at the Identity Provider site.
  • Skew Time Second(s)
    Determines the number of seconds to subtract from the current time. This calculation accounts for Service Providers with clocks that are not synchronized with the Policy Server acting as the Identity Provider.
User Disambiguation
The Users Disambiguation section is where you configure how to obtain the user information from a SAML 2.0 assertion. The consumer uses this information to authenticate a user.
  • Xpath Query
    Specifies an XPath query. The XPath query tells the authentication scheme where in the assertion to locate a specific entry, which then serves as the user login ID. The value that the query obtains becomes part of the search specification to look up a user store entry.
    If you do not specify a query, the default XPath query is:
    /Assertion/Subject/NameID/text()
    Xpath queries must not contain namespace prefixes. The following example is an invalid Xpath query:
    /saml:Response/saml:Assertion/saml:AuthenticationStatement/
    saml:Subject/saml:NameIdentifier/text()
    The valid Xpath query is:
    //Response/Assertion/AuthenticationStatement/Subject/
    NameIdentifier/text()
    Example
    To obtain the attribute “FirstName” from the assertion, the XPath query is:
    /Assertion/AttributeStatement/Attribute[@Name=”FirstName”]/
    AttributeValue/text()
  • casso10
    Active
    Indicates whether the legacy federation configuration is in use for a particular partnership. If the Policy Server is using the legacy federation configuration, confirm this check box is selected. If you have recreated a federated partnership with similar values for identity settings, such as source ID, clear this check box before activating the federated partnership.
    CA Single Sign-On
    cannot work with a legacy and partnership configuration that use the same identity values or a name collision occurs.
  • User Lookup
    Displays namespace types where you can enter a search specification for locating a user record in a user directory.
    Enter a search specification for the user store type you are using. The search specification combines a user store attribute and the value that the Xpath query identifies. The authentication scheme uses the search specification locate a user record in the user store.
    Use %s to represent the login ID value.
    For example, the login ID is user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is compared against a record in the user directory to find the correct record for authentication.
    You can also specify filters with multiple %s variables. For example:
    |(uid=%s)(email=%[email protected])
    |(abcAliasName=%s)(cn=%s)
    The results would be:
    |(uid=user1)([email protected])
    |(abcAliasName=user1)(cn=user1)
  • SAML Affiliation
    (Optional) specifies a SAML Affiliation for the Identity Provider to join. Select from any configured SAML Affiliation object. If an Affiliation is selected, the remaining controls are dimmed and the Affiliation settings are used instead.