The user identification method specifies how to identify the user.
Click Devices > Identity Servers > Edit > WS Federation > [Identity Provider] > User Identification.
In Satisfies contract, specify the contract that is satisfied by the assertion received from the identity provider. WS Federation expects the URI name of the contract to look like a URL, so it rejects all default Access Manager contracts. You must create a contract with a URI that conforms to WS Federation requirements.
For more information about creating this contract, see Creating a New Authentication Contract.
In Allow federation, specify whether the user can associate (federate) an account at the identity provider (the ADFS server) with an account at Identity Server.
Enabling this option assumes that a user account exists at the provider or that a method is provided to create an account that can be associated with the user on subsequent logins. If you do not use this feature, authentication is permitted but is not associated with a particular user account.
Select one of the following methods for user identification:
Do nothing: Allows the user to authenticate without creating an association with a user account. This option cannot be used when federation is enabled.
Authenticate: Allows the user to authenticate using a local account.
Allow ‘Provisioning’: Provides a button that the user can click to create an account when the authentication credentials do not match an existing account.
Provision account: Allows a new account to be created for the user when the authenticating credentials do not match an existing user. When federation is enabled, the new account is associated with the user and used with subsequent logins. When federation is not enabled, a new account is created every time the user logs in.
This option requires that you specify a user provisioning method.
Attribute matching: Enables account matching. The service provider can uniquely identify a user in its directory by obtaining specific user attributes sent by the trusted identity provider. This option requires that you specify a user matching method.
Prompt for password on successful match: Specifies whether to prompt the user for a password when the user’s name is matched to an account, to ensure that the account matches.
(Conditional) If you selected a method that requires provisioning (Allow ‘Provisioning’ or Provision account), click the Provision settings icon and create a provisioning method.
For configuration information, see Defining the User Provisioning Method.
(Conditional) If you selected Attribute matching as the identification method, click the Attribute Matching settings icon and create a matching method.
For more information, see Configuring the Attribute Matching Method for Liberty or SAML 2.0.
Click OK > OK.
Update Identity Server.