280
Novell Access Manager 3.1 SP2 Identity Server Guide
n
ov
do
cx (e
n)
16
Ap
ril 20
10
Provision account:
Assumes that the user does not have an account at the service
provider and creates one for the user. You must create a provisioning method.
6
Click
OK
.
7
(Conditional) If you selected
Provision account
when no match is found, select the
Provision
settings
icon. For information on this process, see
Section 11.3, “Defining the User
Provisioning Method,” on page 282
.
8
Click
OK
twice, then update the Identity Server.
11.2 Defining User Identification for SAML 1.1
Section 11.2.1, “Selecting a User Identification Method for SAML 1.1,” on page 280
Section 11.2.2, “Configuring the Attribute Matching Method for SAML 1.1,” on page 281
11.2.1 Selecting a User Identification Method for SAML 1.1
Two methods exist for identifying users from an identity provider when using the SAML 1.1
protocol. You can specify that no account matching needs to occur, or you can configure a match
method. You configure a match method when you want to use attributes from the identity provider
to uniquely identify a user on the service provider.
1
In the Administration Console, click
Devices > Identity Servers > Edit > SAML 1.1 > [Identity
Provider]
>
User Identification
.
2
In the
Satisfies contract
option, specify the contract that can be used to satisfy the assertion
received from the identity provider. Because SAML 1.1 does not use contracts and because the
Identity Server is contract-based, this setting permits an association to be made between a
contract and a SAML 1.1 assertion.
Use caution when assigning the contract to associate with the assertion, because it is possible to
imply that authentication has occurred, when it has not. For example, if a contract is assigned to
the assertion, and the contract has two authentication methods (such as one for name/password
and another for X.509), the server sending the assertion might use only name/password, but the
service provider might assume that X.509 took place and then incorrectly assert it to another
server.
3
Select one of the following options for user identification:
Do nothing:
Specifies that an identity provider account is not matched with a service
provider account. This option allows the user to authenticate the session without
identifying a user account on the service provider.
Содержание ACCESS MANAGER 3.1 SP2 - README 2010
Страница 4: ...4 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...
Страница 12: ...12 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...
Страница 158: ...158 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...
Страница 172: ...172 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...
Страница 182: ...182 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...
Страница 290: ...290 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...
Страница 362: ...362 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...
Страница 374: ...374 Novell Access Manager 3 1 SP2 Identity Server Guide novdocx en 16 April 2010...