To Enable Auto-creation
Before You Begin
You must configure the attribute mapper on the identity provider side to include an AttributeStatement from the user. The account mapper on the service provider side will perform user mapping based on the AttributeStatement.
-
Export the identity provider's current extended metadata configuration to a file.
saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name
-
Edit the following attributes in the exported extended metadata configuration file.
-
autofedEnabled takes a value of true.
-
autofedAttribute defines the common attribute. For example, <Value>employeeNumber</Value>
-
attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:
<Attribute name="attributeMap"> <Value>employeeNumber=employeeID</Value> </Attribute>
-
-
Remove the identity provider's current extended metadata configuration.
saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c
-
Import the identity provider's modified extended metadata configuration file.
saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name
-
Restart the web container.
-
Repeat the above steps to modify the service provider's extended metadata.
-
Enable Dynamic Profile Creation using the Access Manager console.
-
Log in to the Access Manager console as the top-level administrator, by default, amadmin.
-
Under the Access Control tab, select the appropriate realm.
-
Select the Authentication tab.
-
Select Advanced Properties.
-
Set User Profile to Dynamic or Dynamic with User Alias and click Save.
-
Log out of Access Manager.
-
-
To test, invoke single sign-on from the service provider.
For more information, see the Sun Java System Access Manager 7 2005Q4 Administration Guide.
- © 2010, Oracle Corporation and/or its affiliates