To Enable Auto-Federation

Before You Begin

You must configure the attribute mapper on the identity provider side to include the common attribute as part of the AttributeStatement. You must also configure the attribute mapper on the service provider side to use the common attribute to find the user.

You can also configure the account mapper on the service provider side to map all users to a single user (such as anonymous).

1. Export the identity provider's current extended metadata configuration to a file.

   saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name

2. Edit the following attributes in the exported extended metadata configuration file.

   • autofedEnabled takes a value of true.

   • autofedAttribute defines the common attribute. For example, <Value>employeeNumber</Value>

   • attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:

     <Attribute name="attributeMap">
     <Value>employeeNumber=employeeNumber</Value>
     </Attribute>

3. Remove the identity provider's current extended metadata configuration.

   saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c

4. Import the identity provider's modified extended metadata configuration file.

   saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name

5. Restart the web container.

6. Repeat the above steps to modify the service provider's extended metadata.

7. To test, invoke single sign-on from the service provider.

   Following the auto-federation, two SAML v2 attributes and corresponding values are written to the user's data store entry.