Configuring the Attribute Matching Method for Liberty or SAML 2.0

If you enabled Attribute matching when selecting a user identification method, you must configure a matching method.

The Liberty Personal Profile is enabled by default. If you have disabled it, you need to enable it. See Managing Web Services and Profiles.

  1. Click Devices > Identity Servers > Servers > Edit > Liberty [or SAML 2.0] > [Identity Provider] > User Identification.

  2. Click Attribute Matching settings.

  3. Select and arrange the user stores you want to use.

    Order is important. The user store at the top of the list is searched first. If a match is found, the other user stores are not searched.

  4. Select a matching expression, or click New to create a look-up expression. For information about creating a look-up expression, see Configuring User Matching Expressions.

  5. Specify what action to take if no match is found.

    • Do nothing: Specifies that an identity provider account is not matched with a service provider account. This option allows the user to authenticate the session without identifying a user account on the service provider.

      IMPORTANT:Do not select this option if the expected name format identifier is persistent. A persistent name format identifier requires the user to be identified so that information can be stored with that user. To support Do nothing and allow anonymous access, you must configure the authentication response for a transient identifier format. To view the service provider configuration, see Configuring an Authentication Response for a Service Provider.

    • Prompt user for authentication: Allows a user to specify the credentials that exists on the service provider. Sometimes users have accounts at both the identity provider and the service provider, but the accounts were created independently, use different names (for example, joe.smith and jsmith) and different passwords, and share no common attributes except for the credentials known by the user.

    • Provision account: Assumes that the user does not have an account at the service provider and creates one for the user. You must create a provisioning method.

  6. Click OK.

  7. (Conditional) If you selected Provision account when no match is found, select the Provision settings icon. For information about this process, see Defining the User Provisioning Method.

  8. Click OK > OK, then update Identity Server.