Managing attribute requester mappings
If you are using the SAML 2.0 X.509 attribute sharing profile (XASP), applications at your site must supply the subject distinguished name (DN) to identify a user’s X.509 authentication certificate.
About this task
Optionally, an application can also supply an issuer DN, which can be used to determine the correct identity provider (IdP) attribute authority to use for a set of users associated with an IdP. For more information, see Attribute Query and XASP.
You must set the |
You can map X.509 identifying information to connections and specify a default connection on the System → Protocol Metadata → Attribute Requester Mapping window.
At runtime, the issuer DN, if supplied, is evaluated against the entries under Issuer DN Pattern in hierarchical order until a match is found. If a match is found, the corresponding IdP connection is selected to issue a response to the attribute query request. If the issuer DN matches no entry or if it is not provided, the subject DN from the request is compared against the entries under Subject DN Pattern in a similar manner. If the subject DN matches no entry, then the default IdP connection is used.
You can use a regular expression to match different DNs to the same connection. Only one expression can be used in any single entry. DN values must be entered in all lower-case characters.
Steps
-
Map one or more issuer DNs to SAML 2.0 IdP connections, as needed.
-
Enter an issuer DN under Issuer DN Pattern.
-
Select an IdP connection under IdP Connection Name.
-
Click Add.
-
Repeat these steps to add more entries.
-
-
Map one or more subject DNs to SAML 2.0 IdP connections, as needed.
-
Enter a subject DN under Subject DN Pattern.
-
Select an IdP connection under IdP Connection Name.
-
Click Add.
-
Repeat these steps to add more entries.
-
-
Select a default IdP connection from the list.