4.6 Mapping Transient Identifier to Local User

You can map a federated user with transient name identifier to a local user based on ldap attribute match.

  1. In the Administration Console, click Devices > Identity Servers > Edit > Local > Classes.

  2. Click New, then fill in the following fields:

    Display name: Specify a name for the class.

    Java class: Select Other.

    Java class path: Enter com.novell.nidp.authentication.local.PasswordFetchClassEx

  3. Click Next, then configure the following properties for the class:

    ignoreErrors: Specify true to ignore the password retrieval failure.

    pwdType: Specify 0 to retrieve a universal password and 1 to retrieve a simple password.

    userLookupType: Specify 1 to make the ldapattribute searchable.

    attributeName: Specify the ldap attribute. The value of this ladp attribute is used to identify the local user.

    attributeAutoprovision: Specify false to prevent automatic provisioning of attributes.

    retainPrincipal: Specify false to prevent retaining previous principal.

  4. Click Ok.

4.6.1 Creating a Method to Use the PasswordFetchClassEx

When you create a method, you can specify property values that are applied to just this method and not the entire class. The method also allows you to specify which user stores can use the method.

  1. On the Local page for the Identity Server, click Methods > New.

  2. Specify a Display name.

  3. From the Class selection list, select the PasswordFetchClassEx option.

  4. In the Available user stores list, select the idp140 option.

  5. Click Finish.

4.6.2 Using the PasswordFetchClassEx Method for Mapping a Transient User to a Local User

Perform the following actions:

  1. In the Administration Console, click Devices > Identity Servers > Edit > Liberty [or SAML2.0] > [Identity Provider] > User Identification.

  2. Change the post execution method of SAML2 with the PasswordFetchClassEx method.

  3. Click Apply.

  4. Click OK twice.

  5. Update Identity Server.