This interaction uses auto-federation with the transient name identifier. There is one-to-one mapping between user accounts configured with the identity provider and the service provider based on the value of one attribute. The following procedure describes how to configure single sign-on without writing to the user's data store entry.
Export the identity provider's current extended metadata configuration to a file.
saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name
Edit the following attributes in the exported extended metadata configuration file.
autofedEnabled takes a value of true.
autofedAttribute defines the common attribute on the identity provider side. For example, mail.
attributeMap defines the mapping between the identity provider's attribute and the remote provider's attribute. It takes a value of autofedAttribute-value=remote-provider-attribute. For example:
<Attribute name="attributeMap"> <Value>mail=mail</Value> </Attribute>
Remove the identity provider's current extended metadata configuration.
saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c
Import the identity provider's modified extended metadata configuration file.
saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name
Restart the web container.
Export the service provider's current extended metadata configuration to a file.
saml2meta [-i staging-directory] export -u amadmin -w password -e SP-entityID -x SP-extended-XML-file-name
Edit the following attributes in the exported extended metadata configuration file.
transientUser takes a null value.
autofedEnabled takes a value of true.
autofedAttribute defines the common attribute. For example, mail.
attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:
<Attribute name="attributeMap"> <Value>mail=mail</Value> </Attribute>
Remove the service provider's current extended metadata configuration.
saml2meta [-i staging-directory] delete -u amadmin -w password -e SP-entityID -c
Import the service provider's modified extended metadata configuration file.
saml2meta [-i staging-directory] import -u amadmin -w password -x SP-extended-XML-file-name
Restart the web container.
To test, invoke the single sign-on URL with the NameIDFormat=transient query parameter appended to it.
All identity provider users will be mapped to the corresponding user on the service provider side based on the mail attribute but the auto-federation attributes will not be written to the user entry.