When federating with SAML 1.1, the security of a user matching method depends upon the accuracy of the mapping. You need to select an attribute or attributes that uniquely identify the user at both Site A and Site B. The attributes must identify only one user at Site A and match only one user at Site B. If the attributes match multiple users, you have a security problem,
The following steps use the e-mail address of the user and the LDAP mail attribute to set up a matching rule that matches one user account at Site A with one user account at Site B. To securely use such a matching rule, you need to have a rule in place at both Site A and Site B to ensure that all users have unique e-mail addresses.
In Administration Console of Site B, click Devices > Identity Servers > Servers > Edit > SAML 1.1 > [Identity Provider] > User Identification.
For the Satisfies contract option, select the contract that you want to use for single sign-on.
For this example, select Secure Name/Password-Form.
Select Attribute matching.
The Prompt for password on successful match option is automatically selected. Leave this option enabled.
Click the Define Attribute Matching Settings icon.
Move the user store that you want to search for the attribute to the User stores list.
For the User Matching Expression, select New User Matching Expression.
Specify a name for the matching expression, such as email.
In Logic Group 1, click the Add Attributes icon, select Ldap Attribute:mail [LDAP Attribute Profile], then click OK.
The form allows you to create a very complex set of matching rules, with multiple conditions. This example uses one attribute, the simplest form of a matching expression.
Click Finish, then select your matching expression for the User Matching Expression.
Click OK.
Click OK > OK, then update Identity Server.
Continue with Configuring the Attribute for Sharing.
In Administration Console of the Site B (the service provider), click Devices > Identity Servers > Shared Settings.
Click Attribute Sets, then click New.
Specify a Set Name, such as email, then click Next.
Click New, then fill the Add Attribute Mapping options:
Local attribute: Select Ldap Attribute:mail [LDAP Attribute Profile].
Remote attribute: Specify a name, such as email. Ensure that you use the same remote name in the mapping for both Site B and Site A.
Leave the other options set to their default values.
Click OK, then click Finish.
Your newly created attribute mapping appears in the list of Attribute Sets.
Repeat step1 through step 5 for Site A (the identity provider).
If Site A and Site B are imported into the same Administration Console, skip this step.
Continue with Configuring the Providers to Use the Shared Attribute.
You need to configure Site A to send the shared attribute with the authentication credentials, and you need to configure Site B to process the shared attribute that is included with the authentication credentials.
In Administration Console for Site B, click Devices > Identity Servers > Edit > SAML 1.1 > [Name of Identity Provider] > Attributes.
For the Attribute set, select the set name you created in Configuring the Attribute for Sharing.
Move the email attribute so that it is obtained at authentication.
Click OK > OK, then update Identity Server.
In Administration Console for Site A, click Devices > Identity Servers > Edit > SAML 1.1 > [Name of Service Provider] > Attributes.
For the Attribute set, select the set name you created in Configuring the Attribute for Sharing.
Move the email attribute so that it is sent with authentication.
Click OK twice, then update Identity Server.
Continue with Configuring the Default Contract for Single Sign-On