Sun Java System SAML v2 Plug-in for Federation Services User's Guide

Auto-creation of User Accounts

Auto-creation of user accounts can be enabled on the service provider side. An account would be created when there is none corresponding to the identity provider user account requesting access. This might be necessary, for example, when a new service provider has joined an existing circle of trust.

Note –

Auto-creation is supported only when the service provider is running on an instance of Access Manager as it extends that product's Dynamic Profile Creation functionality.

ProcedureTo Enable Auto-creation

Before You Begin

You must configure the attribute mapper on the identity provider side to include an AttributeStatement from the user. The account mapper on the service provider side will perform user mapping based on the AttributeStatement.

  1. Export the identity provider's current extended metadata configuration to a file.

    saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name

  2. Edit the following attributes in the exported extended metadata configuration file.

    • autofedEnabled takes a value of true.

    • autofedAttribute defines the common attribute. For example, <Value>employeeNumber</Value>

    • attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:

      <Attribute name="attributeMap">
  3. Remove the identity provider's current extended metadata configuration.

    saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c

  4. Import the identity provider's modified extended metadata configuration file.

    saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name

  5. Restart the web container.

  6. Repeat the above steps to modify the service provider's extended metadata.

  7. Enable Dynamic Profile Creation using the Access Manager console.

    1. Log in to the Access Manager console as the top-level administrator, by default, amadmin.

    2. Under the Access Control tab, select the appropriate realm.

    3. Select the Authentication tab.

    4. Select Advanced Properties.

    5. Set User Profile to Dynamic or Dynamic with User Alias and click Save.

    6. Log out of Access Manager.

  8. To test, invoke single sign-on from the service provider.

    For more information, see the Sun Java System Access Manager 7 2005Q4 Administration Guide.