If you are using the SAML 2.0 X.509 Attribute Sharing Profile (XASP), applications at your site must supply the subject distinguished name (DN) to identify a user's X.509 authentication certificate (see Attribute Query and XASP). Optionally, an application may also supply an issuer DN, which can be used to determine the correct IdP (Attribute Authority) to use for a set of users associated with an IdP.

Note:

The Format query parameter must be set to a specified value for XASP (see SP services).

You can map X.509 identifying information to connections and specify a default connection on the Service Provider > Attribute Requester Mapping screen. (Note that this screen is only presented if the XASP profile is enabled on the System > Protocol Settings > Roles & Protocols screen.)

At runtime, the issuer DN, if supplied, is evaluated against the entries under Issuer DN Pattern in hierarchical order until a match is found. If a match is found, the corresponding IdP connection is selected to issue a response to the attribute query request. If the issuer DN matches no entry or if it is not provided, the subject DN from the request is compared against the entries under Subject DN Pattern in a similar manner. If the subject DN matches no entry, then the default IdP connection is used.

You may use a regular expression to match different DNs to the same connection. Only one expression may be used in any single entry. DN values must be entered in all lower-case characters.

  1. Map one or more issuer DNs to SAML 2.0 IdP connections, as needed.
    1. Enter an issuer DN under Issuer DN Pattern.
    2. Select an IdP connection under IdP Connection Name.
    3. Click Add.
    4. Repeat these steps to add more entries.
  2. Map one or more subject DNs to SAML 2.0 IdP connections, as needed.
    1. Enter an subject DN under Subject DN Pattern.
    2. Select an IdP connection under IdP Connection Name.
    3. Click Add.
    4. Repeat these steps to add more entries.
  3. Select a default IdP connection from the list.

Use the Edit, Update, and Cancel workflow to make or undo a change to an entry. Use the Delete and Undelete workflow to remove an entry or cancel the removal request.