For previous steps in configuring Browser SSO, see Configure IdP Browser SSO. For more information about managing service provider (SP) connections, see Accessing SP connections.
The Identity Mapping window is not applicable to connections using the WS-Federation protocol in conjunction with JSON web token (JWT)-based SSO tokens. Instead, work with the SP to define an attribute contract that it can use to map users to accounts at the SP site.
  1. Select the type of name identifier that you and your SP have agreed to use.
    Option Description
    Email Address This attribute is commonly used as a unique identifier for SSO and single logout (SLO). Make this selection, for example, if a user logs in using an email address or if the information is available for lookup in a local datastore.
    User Principal Name The username or other unique ID of the subject initiating the transaction. Make this selection, for example, if a username will be available from the current user session as part of a cookie or can be derived from a local datastore.
    Common Name This selection provides for anonymous SSO to your SP, generally using a hard-coded generalized sign on. Make this selection if your partner agreement involves a many-to-one use case, such as if the SP has a group account set up for all users in a particular domain.
  2. Click Next to save your changes.