When creating a local identity store mapping for SAML users, it is recommended that you ensure a corresponding user account for an identity provider user ahead of time. For example, if a user does not exist in the local store, the SAML assertion map to that user in the local identity store will fail. To handle an identity mapping failure, Oracle Access Manager Identity Federation features a plug-in that you can enable to automatically provision a missing identity to the local identity store during a federated SSO operation which enables the federated SSO to proceed.
Note: This is an optional task. If you do not enable automatic user provisioning and a user does not exist in this generic LDAP server, then the authentication / SAML assertion can fail.
To enable automatic user provisioning for the local identity store used by service providers:
- Navigate to <Oracle_Access_Manager_Middleware_Home>/common/bin and then complete the following based on your operating system to open the WebLogic Scripting Tool:
- If using Linux, run
wlst.sh. - If using Windows, run
wlst.cmd.
- If using Linux, run
- Connect to the WLS admin server by running the following:
connect() - Navigate to the domain runtime branch by running the following:
domainRuntime() - Enable automatic user provisioning by running the following:
putBooleanProperty("/fedserverconfig/userprovisioningenabled", "true") - Exit the WebLogic Scripting Tool environment by running the following:
exit()