How to do user matching with SAML at Identity Server when incoming assertion has no AttributeStatement

  • 7016496
  • 13-May-2015
  • 13-May-2015

Environment

NetIQ Access Manager 3.2
NetIQ Access Manager 4.0
NetIQ Access Manager 4.1
NetIQ Access Manager Identity Server acting as a SAML 2 SP
NetIQ Access Manager Identity Server consuming assertions from 3rd party IDP servers

Situation

NAM Identity Server setup in a SAML2 trust environment as the SP. When consuming the assertion from the remote SAML Identity Server, the administrator wants to do User Matching so that an identity in local user store can be found. Looking at the user matching configuration and documentation, it is clear that the user matching will only work when the remote IDP server sends the information as part of the AttributeStatement. In this case, there was no AttributeStatement in the assertion, and the Subnet NameIdentifier included the user info (email address) that the admin wanted to map off.

Resolution

Define an attribute set with a user mapping between the LDAP email attribute and the NAMEID keyword. This will take the incoming NameIdentifier value, and map it to the LDAP email attribute so that user matching using the LDAP mail attribute will retrieve the right information. This NAMEID string must be in upper case.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.