Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual page 177

For example, if the service provider user store uses the email attribute to identify users, the identity
provider should be configured to send the email attribute. The service provider would use this
attribute in a user matching expression to find the user in the user store. If a match is found, the user
is granted access. If the user is not found, that attribute can be used to create an account for the user.
The assertion must contain all the attributes that the user store requires to create an account.
To create a user matching expression:
1 In the Administration Console, click Devices > Identity Servers > Shared Settings > User
Matching Expressions.
2 Click New, or click the name of an existing user matching expression.
3 Specify a name for the user lookup expression.
4 Click the Add Attributes icon (plus sign), then select attributes to add to the logic group. (Use
the Shift key to select several attributes.)
5 Click OK.
6 To add logic groups, click New Logic Group.
The Type drop-down (AND or OR) applies only between groups. Attributes within a group are
always the opposite of the type selection. For example, if the Type value is AND, the attributes
within the group are OR.
7 Click the Add Attributes icon (plus sign) to add attributes to the next logic group, then click
OK.
8 Click Finish.
9 (Conditional) If you selected attributes from the Custom, Employee, or Personal profile, you
need to enable the profile so that the attribute can be shared:
9a Click Servers > Edit > Liberty > Web Service Provider.
9b Select the profiles that need to be enabled, then click Enable.
9c Click OK, then update the Identity Server.
Defining Shared Settings 177