User identification determines how an account at the identity provider is matched with an account at the service provider. If federation is enabled between two, the user can set up a permanent relationship between the two accounts. If federation is not enabled (see Configuring a SAML 2.0 Authentication Request and Configuring a Liberty Authentication Request), you cannot set up a user identification method.
Click Devices > Identity Servers > Edit > Liberty [or SAML 2.0] > [Identity Provider] > User Identification.
Specify how users are identified on the SAML 2.0 or Liberty provider. Select one of the following methods:
Authenticate: Select this option when you want to use login credentials. This option prompts the user to log in at both the identity provider and the service provider on first access. If the user selects to federate, the user is prompted, on subsequent logins, to authenticate only to the identity provider.
Allow ‘Provisioning’: Select this option to allow users to create an account when they have no account on the service provider. This option requires that you specify a user provisioning method.
Provision account: Select this option when the users on the identity provider do not have accounts on the service provider. This option allows the service provider to trust any user that has authenticated to the trusted identity provider
This option requires that you specify a user provisioning method.
Attribute matching: Select this option when you want to use attributes to match an identity server account with a service provider account. This option requires that you specify a user matching method.
Prompt for password on successful match: Select this option to prompt the user for a password when the username is matched to an account, to ensure that the account matches.
NOTE:If you have selected Transient user mapping while configuring the name identifier format, the Authenticate and Provision account options are not displayed for SAML 2.0.
Select one of the following:
If you selected Attribute matching, select a method and click OK. If you have not created a matching method, continue with Configuring the Attribute Matching Method for Liberty or SAML 2.0.
If you selected the Provision account option, select a method, then click OK. If you have not created a provisioning method, continue with Defining the User Provisioning Method.
If you selected the Authenticate option with the Allow Provisioning option, select a method, then click OK. If you have not created a provisioning method, continue with Defining the User Provisioning Method.
If you selected the Authenticate option without the Allow Provisioning option, click OK.
Configure the authentication methods that must be used before authenticating the users.
Step Up Authentication methods: These are the existing configured authentication methods that you can use for secondary authentication. Use the arrow keys to move methods from the available methods list to the step up methods list. The selected methods are used in the same order as listed for the step up authentication. The step up authentication does not require to identify the user because identity provider already authenticates the user. The step up authentication is used for additional authentication to access the services. Hence, the selected methods must not have Identifies User selected in its configuration. After an identity provider authenticates, the Identity Server (service provider) prompts for step up authentication for additional security. If the step up authentication method is not satisfied, authentication fails.
NOTE:To enable audit events for step-up authentication, select Federation Step-up audit event.
Configure the post authentication method. These are the existing methods that can be used after the authentication is successful. These are not used for authenticating a user but to perform custom tasks post authentication, such as password fetch. If the post authentication method fails, the session will remain valid.
Selected Methods: Using the arrow keys to move methods from the Available Methods list to the Selected Methods list. The selected method is executed when post remote authentication completes.
For example if you select the passwordfetch method, this method is executed at the service provider after the identity provider authentication and federation completes. For more information about passwordfetch method, see Password Retrieval.
Logout on method execution failure: If you select this check box, then whenever there is a session failure, the user is logged out automatically.
Configure the session options.
Allow IDP to set session timeout: Select Allow Identity Provider to set session time-out between the principal identified by the subject and the SAML authority based on SessionNotOnOrAfter attribute in SAML assertion of authnStatement.
Overwrite Temporary User: If you select this check box, then the temporary user credentials profile got from previous authentication method in the same session will be overwritten with real user credentials profile got from this authentication method.
Overwrite Real User: If you select this option, the real user credentials profile got from the previous authentication method in the same session will be overwritten with real user credentials profile got from this authentication method
Assertion Validity Window: You can manually set the assertion validity time for a SAML service provider (SP) to accommodate clock skew between SP and a SAML Identity Server (IDP).
Click OK > OK, then update Identity Server.