When a service provider receives an assertion from a trusted identity provider, the service provider tries to identify the user. You can configure a service provider to perform one of the following actions:
Accept that the assertion contains a valid user and authenticate the user locally with a temporary identity and account. When a user logs out, the account and identity are destroyed.
Use the attributes in the assertion to match a user in the local user store. When you want the service provider to take this action, you need to create a user matching expression.
Use the attributes in the assertion to match a user in the local user store and when the match fails, create an account (provisioning) for the user in the local user store of the service provider. When you want the service provider to take this action, you need to create a user matching expression.
The user matching expression is used to format a query to the user store based on attributes received in the assertion from the identity provider. This query must return a match for one user.
If the query returns a match for multiple users, the request fails and the user is denied access.
If the query fails to find a match and you have selected provisioning, the service provider uses the attributes to create an account for this user in its user store. If you have not selected provisioning, the request fails and the user is denied access.
The user matching expression defines the logic of the query. You must know the LDAP attributes that are used to name the users in the user store in order to create the user’s distinguished name and uniquely identify the users.
For example, if the service provider user store uses the email attribute to identify users, the identity provider must be configured to send the email attribute. The service provider uses this attribute in a user matching expression to find the user in the user store. If a match is found, the user is granted access. If the user is not found, that attribute can be used to create an account for the user. The assertion must contain all the attributes that the user store requires to create an account.
To create a user matching expression, perform the following steps:
Click Devices > Identity Servers > Shared Settings > User Matching Expressions.
Click New or click the name of an existing user matching expression.
Specify a name for the user lookup expression.
Click the Add Attributes icon and select attributes to add to the logic group.
Click OK.
To add logic groups, click New Logic Group.
Type (AND or OR) applies only between groups. Attributes within a group are always the opposite of the type selection. For example, if Type is AND, the attributes within the group are OR.
Click the Add Attributes icon to add attributes to the next logic group and click OK.
Click Finish.
(Conditional) If you selected attributes from the Custom, Employee, or Personal profile, enable the profile so that the attribute can be shared.
Click Servers > Edit > Liberty > Web Service Provider.
Select the profiles that need to be enabled, then click Enable.
Click OK and then update Identity Server.