Modifying The User Identification Method - Novell ACCESS MANAGER 3.1 SP1 - IDENTITY SERVER Manual

2 (Conditional) To create an attribute set, select New Attribute Set from the Attribute Set drop-
down menu.
An attribute set is a group of attributes that can be exchanged with the trusted provider. For
example, you can specify that the local attribute of any attribute in the Liberty profile (such as
Informal Name) matches the remote attribute specified at the service provider.
2a Specify a set name, then click Next.
2b On the Define Attributes page, click New.
2c Select a local attribute.
2d Specify the name of the remote attribute.
2e For the namespace, select http://schemas.xmlsoap.org/claims.
2f Click OK.
2g To add other attributes to the set, repeat
2h Click Finish.
3 Select an attribute set.
4 Select attributes from the Available list, and move them to the left side of the page.
5 (Conditional) If you created a new attribute set, it must be enabled for STS.
For more information, see
6 Click OK, then update the Identity Server.

7.3.3 Modifying the User Identification Method

1 In the Administration Console, click Devices > Identity Servers > Edit > WS Federation >
[Identity Provider] > User Identification.
2 Select the contract that can be used for authentication. Fill in the following field:
Satisfies contract: Specifies the contract that is satisfied by the assertion received from the
identity provider. WS Federation expects the URI name of the contract to look like a URL, and
thus rejects all default Access Manager contracts. You must create a contract with a URI that
conforms to WS Federation requirements.
3 Specify whether the user can associate (federate) an account at the identity provider (the ADFS
server) with an account at Identity Server. Fill in the following field:
Allow federation: Indicates whether account federation is allowed. Enabling this option
assumes that a user account exists at the provider or that a method is provided to create an
account that can be associated with the user on subsequent logins. If you do not use this feature,
authentication is permitted but is not associated with a particular user account.
4 Select one of the following methods for user identification:
Do nothing: Allows the user to authenticate without creating an association with a user
account. This option cannot be used when federation is enabled.
Authenticate: Allows the user to authenticate using a local account.
204 Novell Access Manager 3.1 SP1 Identity Server Guide
"Enabling the Attribute Set" on page
Allow 'Provisioning': Provides a button that the user can click to create an account
when the authentication credentials do not match an existing account.
Step 2b through Step 2e.
190.