Environment
NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager Identity Server acting as a SAML 2 SP
NetIQ Access Manager Identity Server consuming assertions from 3rd party IDP servers
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager Identity Server acting as a SAML 2 SP
NetIQ Access Manager Identity Server consuming assertions from 3rd party IDP servers
Situation
NAM Identity Server setup in a SAML2 trust environment as the SP. When consuming the assertion from the remote SAML Identity Server, the administrator wants to do User Matching so that an identity in local user store can be found. Looking at the user matching configuration and documentation, it is clear that the user matching will only work when the remote IDP server sends the information as part of the AttributeStatement. In this case, there was no AttributeStatement in the assertion, and the Subnet NameIdentifier included the user info (email address) that the admin wanted to map off.
Resolution
Define an attribute set with a user mapping between the LDAP email attribute and the NAMEID keyword. This will take the incoming NameIdentifier value, and map it to the LDAP email attribute so that user matching using the LDAP mail attribute will retrieve the right information. This NAMEID string must be in upper case.