Two methods exist for identifying users from an identity provider when using the SAML 1.1 protocol. You can specify that no account matching needs to occur, or you can configure a match method. You configure a match method when you want to use attributes from the identity provider to uniquely identify a user on the service provider.
Click Devices > Identity Servers > Edit > SAML 1.1 > [Identity Provider] > User Identification.
In Satisfies contract, specify the contract that can be used to satisfy the assertion received from the identity provider. Because SAML 1.1 does not use contracts and Identity Server is contract-based, this setting permits making an association between a contract and a SAML 1.1 assertion.
Use caution when assigning a contract to associate with an assertion, because it is possible to imply that authentication has occurred, when it has not. For example, if a contract is assigned to an assertion, and the contract has two authentication methods (such as one for name/password and another for X.509), the server sending the assertion might use only name/password. But, the service provider might assume that X.509 took place and then incorrectly assert it to another server.
Select one of the following options for user identification:
Do nothing: Specifies that an identity provider account is not matched with a service provider account. This option allows the user to authenticate the session without identifying a user account on the service provider.
Attribute matching: Authenticates a user by matching a user account on the identity provider with an account on the service provider. This option requires that you set up the match method.
Prompt for password on successful match: Specifies whether to prompt a user for the password when the user is matched to an account to ensure that the account matches.
Select one of the following:
If you selected Do nothing, continue with Step 6.
If you selected Attribute matching, continue with Configuring the Attribute Matching Method for SAML 1.1.
You can also configure the assertion time manually.
Assertion Validity Window: You can manually set the assertion validity time for SAML Service Provider (SP) to accommodate clock skew between Service Provider and SAML Identity (IDP) Server.
Click OK > OK > Apply.
Update Identity Server.