Configuring authentication involves determining how the service provider interacts with the identity provider during user authentication and federation. Three methods exist for you to identify users from a trusted identity provider:
You can identify users by matching their authentication credentials
You can match selected attributes and then prompt for a password to verify the match, or you can use just the attributes for the match.
You can assume that the user does not have an account and create new accounts with user provisioning. You can also allow for provisioning when the matching methods fail. If there are problems during provisioning, you see error messages with more information.