In some SP setups, it may be sensible to only take over the user information from the SAML assertion provided by the IdP and pass this information on to the Target Application via ID propagation. Local lookup of a user is not desired in such cases, and IAM must be configured not to use any local data with a User Persister. The following configuration entries have to be made:
- Set the NameID Format to transient in sp.xml (and idp.xml if the Target Application is a SAML2 Target Application):
- Loginapp >> SAML Settings >> SAML SP Settings >> Local Authenticator: configure a SAML Virtual User Authenticator. This authenticator just takes over the data from the received SAML assertion and uses it without doing any local lookups.
- Loginapp >> Security Settings >> IP Address Restrictions: disable it, as it would look up the user locally in order to get possible IP address restrictions defined for that user.
- Loginapp >> Self-Service Settings: disable it, because self-services need to be able to look up the user locally (e.g. for reset, migration, activation, etc.).
- MAIN SETTINGS >> Data Sources: Remove all data sources (if setting is present at all and IAM is not also configured as IdP)
- Loginapp >> User Data Source: remove it (set it to empty, if IAM is not also configured as IdP)
- Fix/change any configuration that is marked as an error; either disable (remove) that feature completely or if it is needed, reconfigure it not to use any persister.
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
Single-Logout (SLO)
See Airlock IAM and SAML single-logout (SLO) for more information.