Selecting a SAML Name ID type
You can choose a name identifier for your SAML Browser single sign-on (SSO) configuration on the identity Mapping tab. The type of name identifier you select affects how your service provider (SP) partner makes use of account mapping or account linking.
Before you begin
For previous steps in configuring Browser SSO, see Configure IdP Browser SSO. For more information about managing service provider (SP) connections, see Accessing SP connections.
About this task
If your SP uses account linking, establishing an attribute contract is not required. However, depending on your agreement, you can choose to supplement the account link with an attribute contract. In this configuration, the account link is used to determine the user’s identity, while the additional attributes might be used for authorization decisions, customized web pages, and so on, at the SP site. For more information, see User attributes.
If you change your configuration to use account linking without additional attributes, any existing attribute contract will be discarded in favor of the new configuration. |
Steps
-
Select the type of name identifier that you and your SP have agreed to use.
Option Description Standard
Select if you want to send a known attribute to identify a user, for example, a username or an email address.
In this scenario, the SP often uses account mapping to identify the user locally.
Pseudonym
Select if you and the SP have agreed to use a unique, opaque persistent name identifier, which cannot be traced back to the user’s identity at the IdP.
The SP might also use the identifier for account linking to make a persistent association between the user and a specific local account.
Select the Include attributes in addition to the pseudonym box if you want to set up an attribute contract to use in conjunction with an opaque identifier. For more information, see Setting up an attribute contract.
Transient
Select Transient to enhance the privacy of a user’s identity. Unlike a pseudonym, a transient identifier is different each time a user initiates SSO.
An example application for this selection might be when an SP provides generalized group accounts based on organizational rather than individual identity.
Select the Include attributes in addition to the transient identifier box if you want to set up an attribute contract to use in conjunction with an opaque identifier. For more information, see Setting up an attribute contract.
-
Click Next to save your changes.
Next steps
If you opted to include attributes in your name identifier, your next step will be to define the attributes. For more information, see Setting up an attribute contract. Otherwise proceed to Managing authentication source mappings.