You can specify the name identifier and its format when Identity Server sends an authentication response. You can also restrict the use of the assertion.
When an identity provider sends an assertion, the assertion can be restricted to an intended audience. The intended audience is defined to be any abstract URI in SAML 1.1. The URL reference can also identify a document that describes the terms and conditions of audience membership.
Click Devices > Identity Servers > Edit > SAML 1.1 > [Service Provider] > Authentication Response.
To specify a name identifier format, select one of the following:
E-mail: Specifies that an e-mail attribute can be used as the identifier.
X509: Specifies that an X.509 certificate can be used as the identifier.
Unspecified: Specifies that an unspecified format can be used and any value can be used. The service provider and the identity provider need to agree on what value is placed in this identifier.
To specify the format of the name identifier, select an attribute.
The available attributes depend upon the attributes that you have selected to send with authentication (see the Attributes page for the service provider).
To configure an audience, click New.
Specify the SAML Audience URL value.
The Provider ID, which can be used for the audience, is displayed on the Edit page for the metadata.
You can manually set the assertion validity time for the SAML service provider in Assertion Validity to accommodate clock skew between a service provider and SAML Identity Server (IDP).
Click OK > OK.
Update Identity Server.