When Identity Server sends its response to a service provider, the response can contain an identifier for the user. If you do not own the service provider, contact the administrator of the service provider and negotiate whether the user needs to be identified and how to do the identification. If the service provider is going to use an attribute for user identification, that attribute needs to be in the attributes sent with authentication. See Configuring the Attributes Sent with Authentication.
To select the user identification method to send in the response, perform the following steps:
Click Devices > Identity Servers > Edit > WS Federation > [Service Provider] > Authentication Response.
Select one of the following formats:
Unspecified: Specifies that the SAML assertion contains an unspecified name identifier.
E-mail: Specifies that the SAML assertion contains the user’s email address for the name identifier.
X509: Specifies that the SAML assertion contains an X.509 certificate for the name identifier.
For the value, select an attribute that matches the format. For the Unspecified format, select the attribute that the service provider expects.
The only values available are from the attribute set that you have created for WS Federation.
To specify that this Identity Server must authenticate the user, disable the Use proxied requests option. When the option is disabled and Identity Server cannot authenticate the user, the user is denied access.
When this option is enabled, Identity Server checks to see if other identity providers can satisfy the request. If one or more can, the user is allowed to select which identity provider performs the authentication. If a proxied identity provider performs the authentication, it sends the response to Identity Server. Identity Server then sends the response to the service provider.
Set the assertion validity time for a WS Federation service provider in Assertion Validity to accommodate clock skew between the service provider and SAML Identity Server (IDP).
There are following scenarios for setting assertion validity time:
The Assertion Validity set for a Service Provider overrides the assertion validity set using WSFED ASSERTION VALIDITY property in the Assertion Validity Window.
For more information, refer Assertion Validity Window.
If the Assertion Validity for a Service Provider is set to 0, assertion validity set using WSFED ASSERTION VALIDITY property in the Assertion Validity Window takes precedence.
If the Assertion Validity is not defined for a Service Provider or in the Assertion Validity Window, by default, the token lifetime is set to 15 minutes.
The minimum lifetime of a token is 600 seconds. If the Assertion Validity for a Service Provider is set to less than 300 seconds, the user must wait for the minimum lifetime period of the token to be expired.
Click OK > OK.
Update Identity Server.