6.3 Configuring User Matching Expressions

When a service provider receives an assertion from a trusted identity provider, the service provider tries to identify the user. The service provider can be configured to take one of the following actions:

The user matching expression is used to format a query to the user store based on attributes received in the assertion from the identity provider. This query must return a match for one user.

The user matching expression defines the logic of the query. You must know the LDAP attributes that are used to name the users in the user store in order to create the user’s distinguished name and uniquely identify the users.

For example, if the service provider user store uses the email attribute to identify users, the identity provider should be configured to send the email attribute. The service provider would use this attribute in a user matching expression to find the user in the user store. If a match is found, the user is granted access. If the user is not found, that attribute can be used to create an account for the user. The assertion must contain all the attributes that the user store requires to create an account.

To create a user matching expression:

  1. In the Administration Console, click Devices > Identity Servers > Shared Settings > User Matching Expressions.

  2. Click New, or click the name of an existing user matching expression.

  3. Specify a name for the user lookup expression.

  4. Click the Add Attributes icon (plus sign), then select attributes to add to the logic group. (Use the Shift key to select several attributes.)

    User matching expressions
  5. Click OK.

  6. To add logic groups, click New Logic Group.

    The Type drop-down (AND or OR) applies only between groups. Attributes within a group are always the opposite of the type selection. For example, if the Type value is AND, the attributes within the group are OR.

  7. Click the Add Attributes icon (plus sign) to add attributes to the next logic group, then click OK.

  8. Click Finish.

  9. (Conditional) If you selected attributes from the Custom, Employee, or Personal profile, you need to enable the profile so that the attribute can be shared:

    1. Click Servers > Edit > Liberty > Web Service Provider.

    2. Select the profiles that need to be enabled, then click Enable.

    3. Click OK, then update the Identity Server.