Modifying The Authentication Response - Novell ACCESS MANAGER 3.1 SP2 - IDENTITY SERVER GUIDE 2010 Manual

2 (Conditional) To create an attribute set, select New Attribute Set from the Attribute Set drop-
down menu.
An attribute set is a group of attributes that can be exchanged with the trusted provider. For
example, you can specify that the local attribute of any attribute in the Liberty profile (such as
Informal Name) matches the remote attribute specified at the service provider.
2a Specify a set name, then click Next.
2b On the Define Attributes page, click New.
2c Select a local attribute.
2d Specify the name of the remote attribute.
2e For the namespace, specify
2f Click OK.
2g To add other attributes to the set, repeat
2h Click Finish.
3 Select an attribute set.
4 Select attributes that you want to send from the Available list, and move them to the left side of
the page.
5 (Conditional) If you created a new attribute set, it must be enabled for STS.
For more information, see
6 Click OK, then update the Identity Server.

10.5.3 Modifying the Authentication Response

When the Identity Server sends its response to the service provider, the response can contain an
identifier for the user. If you do not own the service provider, you need to contact the administrator
of the service provider and negotiate whether the user needs to be identified and how to do the
identification. If the service provider is going to use an attribute for user identification, that attribute
needs to be in the attributes sent with authentication. See
Sent with Authentication," on page
To select the user identification method to send in the response:
1 In the Administration Console, click Devices > Identity Servers > Edit > WS Federation >
[Service Provider] > Authentication Response.
2 For the format, select one of the following:
Unspecified: Specifies that the SAML assertion contains an unspecified name identifier.
E-mail: Specifies that the SAML assertion contains the user's e-mail address for the name
identifier.
X509: Specifies that the SAML assertion contains an X.509 certificate for the name identifier.
3 For the value, select an attribute that matches the format. For the Unspecified format, select the
attribute that the service provider expects.
The only values available are from the attribute set that you have created for WS Federation.
4 To specify that this Identity Server must authenticate the user, disable the Use proxied requests
option. When the option is disabled and the Identity Server cannot authenticate the user, the
user is denied access.
274 Novell Access Manager 3.1 SP2 Identity Server Guide
http://schemas.xmlsoap.org/claims
Step 2b
"Enabling the Attribute Set" on page
Section 10.5.2, "Configuring the Attributes
273.
.
through Step 2e.
254.