SAML Affiliation Dialog

casso127
HID_saml-affiliations-general
Contents
The SAML Affiliation dialog is where you configure a SAML affiliation. A SAML affiliation is a group of SAML entities that share a name identifier for a single principal, typically a user.
Note:
Configuring affiliations is optional.
The affiliations dialog has several sections:
SAML Affiliation General Settings
The General section of the affiliations dialog contains the following fields:
  • Name
    Names the affiliation. Enter a unique name. The name must be unique across all affiliate domains.
  • Affiliation ID
    Specifies a URI that uniquely identifies the affiliation.
  • Description
    (Optional) Describes the affiliation.
  • SAML Version
    Specifies the SAML version. Indicates that assertions sent to members of the affiliation must be compliant with SAML version 2.0.
    Default:
    2.0
SAML Affiliation Users Settings
The Users section of the affiliations dialog lets you configure users or groups of users for the Service Providers in an affiliation. Configured users can be authenticated for access to Service Provider resources; the assertion generator can create SAML assertions that include entitlement information for these users.
If the entity is a Service Provider, the user information enables the Service Provider to obtain information from an assertion to locate a user record. After the user record is located, the Service Provider can authenticate the user.
For the entity acting only as an Identity Provider, the users information is not relevant. You do not have to complete the fields.
  • Xpath Query
    Specifies an XPath query that the authentication scheme applies to the assertion to obtain the LoginID.
    The default XPath query that is used when none is configured, is:
    /Assertion/Subject/NameID/text()
    Example:
    To obtain the attribute “FirstName” from the assertion for authentication, the XPath query is:
    /Assertion/AttributeStatement/Attribute[@Name=”FirstName”]/AttributeValue/text()
    To extract the text of first Username element in the SAML assertion, use the abbreviated syntax "//Username/text()"
  • Namespace Specification
    Displays a selectable list of namespace types. Define a search specification for a given namespace (user directory). The search specification defines the attribute that the authentication scheme uses to search a namespace. Use %s as the entry representing the LoginID.
    For example, the LoginID is user1. If you specify Username=%s in the Search Specification field, the resulting string is Username=user1. This string is compared against the user store to find the correct record for authentication.
SAML Affiliation Name IDs Settings
The Name IDs section is where you configure the name ID of the principal. The Service Provider in an affiliation uses this information for user disambiguation.
  • Name IDs
    Specifies the name identifier for the principal. Service Providers that are members of the affiliation use this name when corresponding with SAML Service Providers that are members of the affiliation.
  • Name ID Format
    Specifies the format of the name identifier format. For example, the name ID can take the format of an email address, such as [email protected].
    Select an option from the drop-down list.
Name ID Type
The Name ID section contains options that specify the Name Identifier type. Select one of the following options:
Static
Indicates that the Name Identifier is the value in the Static Value field. Activates the Static Value field; disables other controls.
  • User Attribute
    Indicates that the Name Identifier is the value in the Attribute Name field. Activates the Attribute Name field; disables other controls.
  • DN Attribute
    Specifies the Name Identifier as the attribute associated with a DN. Activates the User Attribute field, the DN Spec field, and the Allow Nested Groups check box; disables the Static Value field.
  • Allow Nested Groups
    Enables nested groups when selecting the DN spec. Enabled when the DN Attribute option is selected.
Name ID Fields
Contains fields that specify information about the selected Name Identifier. The fields are context-sensitive and are change depending on the Name ID Type selection.
The options are:
Static Value
Specifies the static text value that used for all name identifiers for this Service Provider.
  • Attribute Name
    Specifies the name of the user attribute from a user directory. This attribute contains the name identifier or the attribute that is associated with a group or organizational unit DN.
  • DN Spec
    Specifies the group or organizational unit DN used for obtaining the associated attribute to be used as the name identifier.
    Complete this field and the Attribute Name field.
SAML Service Provider and Authentication Scheme Associations
 
  • SAML Service Providers Associations
    Provides a read-only listing of all Service Providers that are members of an affiliation. The administrator at the Identity Provider adds or removes a Service Provider to or from an affiliation. A Service Provider is associated with an affiliation in the Name ID settings when configuring a Service Provider object at the Identity Provider.
  • SAML Authentication Scheme Associations
    Provides a read-only listing of all SAML 2.0 authentication schemes that are members of the affiliation. An authentication scheme is associated with an affiliation in the General settings of a SAML 2.0 authentication scheme object at the Service Provider.