Managing attribute requester mappings - PingFederate - 10.3

PingFederate Server

bundle
pingfederate-103
ft:publication_title
PingFederate Server
Product_Version_ce
PingFederate 10.3
category
Product
pf-103
pingfederate
ContentType_ce

If you are using the SAML 2.0 X.509 attribute sharing profile (XASP), applications at your site must supply the subject distinguished name (DN) to identify a user's X.509 authentication certificate.

Optionally, an application can also supply an issuer DN, which can be used to determine the correct identity provider (IdP) attribute authority to use for a set of users associated with an IdP. For more information, see Attribute Query and XASP.

Note:

You must set the Format query parameter to a specified value for XASP. For more information, see SP services.

You can map X.509 identifying information to connections and specify a default connection on the System > Protocol Metadata > Attribute Requester Mapping window.

At runtime, the issuer DN, if supplied, is evaluated against the entries under Issuer DN Pattern in hierarchical order until a match is found. If a match is found, the corresponding IdP connection is selected to issue a response to the attribute query request. If the issuer DN matches no entry or if it is not provided, the subject DN from the request is compared against the entries under Subject DN Pattern in a similar manner. If the subject DN matches no entry, then the default IdP connection is used.

You can use a regular expression to match different DNs to the same connection. Only one expression can be used in any single entry. DN values must be entered in all lower-case characters.

  1. Map one or more issuer DNs to SAML 2.0 IdP connections, as needed.
    1. Enter an issuer DN under Issuer DN Pattern.
    2. Select an IdP connection under IdP Connection Name.
    3. Click Add.
    4. Repeat these steps to add more entries.
  2. Map one or more subject DNs to SAML 2.0 IdP connections, as needed.
    1. Enter a subject DN under Subject DN Pattern.
    2. Select an IdP connection under IdP Connection Name.
    3. Click Add.
    4. Repeat these steps to add more entries.
  3. Select a default IdP connection from the list.
You can click Edit, Update, and Cancel to make or undo a change to an entry. Click Delete and Undelete to remove an entry or cancel the removal request.