Selecting a WS-Federation Name ID type
You can choose a name identifier for your WS-Federation Browser single sign-on (SSO) configuration on the Identity Mapping tab. Your selection might affect the way the service provider (SP) looks up and associates your users to their local accounts.
Before you begin
For previous steps in configuring Browser SSO, see Configure IdP Browser SSO. For more information about managing service provider (SP) connections, see Accessing SP connections.
About this task
The Identity Mapping window is not applicable to connections using the WS-Federation protocol in conjunction with JSON web token (JWT)-based SSO tokens. Instead, work with the SP to define an attribute contract that it can use to map users to accounts at the SP site.
Steps
-
Select the type of name identifier that you and your SP have agreed to use.
Option Description Email Address
This attribute is commonly used as a unique identifier for SSO and single logout (SLO). Make this selection, for example, if a user logs in using an email address or if the information is available for lookup in a local datastore.
User Principal Name
The username or other unique ID of the subject initiating the transaction. Make this selection, for example, if a username will be available from the current user session as part of a cookie or can be derived from a local datastore.
Common Name
This selection provides for anonymous SSO to your SP, generally using a hard-coded generalized sign on. Make this selection if your partner agreement involves a many-to-one use case, such as if the SP has a group account set up for all users in a particular domain.
-
Click Next to save your changes.