Advanced configuration settings for a connection between a SAML-enabled web application and SecurID are optional. Complete these settings only if you are adding a connection to a SAML application with a non-standard configuration.

1. On the Connection Profile page of the wizard, scroll to the bottom and click Show Advanced Configuration.

2. In the Attribute Extension section, specify one or more NameID attributes. Each extended attribute can either map to a single identity source/attribute pair, or, with attribute hunting, map to multiple identity source/attribute pairs.

   Field	Description
   Attribute Source	Select Identity Source to specify an Attribute Name that maps to a selected Identity Source and Property (attribute) pair. Select Constant to specify an Attribute Name and Property (attribute) pair to map to the specified attribute.
   Attribute Name	Enter the name of the extended attribute.
   Identity Source	Select an identity source.
   Property	If you have selected Identity Source in Attribute Source, select an attribute from the list in the Property field. Only the attributes that were selected in the Policies column on the Users > Identity Source > User Attributes page are available for the SAML application configuration. If you have selected Constant in Attribute Source, enter the value in Property field manually.
   Manage	To specify multiple identity source/attribute pairs to map to the extended attribute specified in the Attribute Name column, do this: Click the pencil icon. In the Attribute Hunting Details dialog box, select a Identity Source and Property (attribute) pair to map to the specified attribute. To map additional identity source and property pairs to the attribute, click ADD. To specify a constant attribute name and add multiple values to the specified attribute: Click the pencil icon. In the Constant dialog box, select an Attribute Name and Property (attribute value) pair to map to the specified attribute. To add multiple values to the specified attribute, click ADD. Click Save. Note: Any value that contains a special character is automatically prefixed with \ in the Property of the specified constant attribute in the Attribute Extension section. The prefix \ ensures that the value is in valid JSON format.

3. In the NameID Modification section, specify options to modify the name identifier to use the format that the service provider expects. Select all that apply.

   Option	Description
   Change Case	Change the NameID string to all Upper case or all Lower case letters.
   Add Prefix	Enter a prefix for the NameID.
   Add Suffix	Enter a suffix for the NameID.
   Remove String	Enter a regular expression to delete matching characters in the NameID. For example, if NameID is an email address (such as jdoe@example.com), the regular expression <userinput>@(.*)$</userinput> removes the @ character and the domain name (the result is jdoe).
   Concatenate Attributes	Enter user attributes to append their values to the NameID.

4. Specify Uncommon SAML Response Formatting Options to include in the outgoing SAML response.
   1. For Sign Outgoing Assertion, select one of the following options for signing the SAML response:

      • Entire SAML response (default)

      • Assertion within response

   2. Select hash code algorithms:

      • Signature Algorithm – The algorithm used to sign the outgoing assertion.

      • Digest Algorithm – The digest or hash code algorithm that is used while signing the outgoing assertion.

   3. Select Encrypt Assertion to encrypt the SAML assertion with the public key on the IdP so that it can only be decrypted by the private key loaded in the SSO settings on the SP.

   4. Select the encryption parameters, as requested by the SP, to apply to the Encryption Algorithm and the Encryption Key Transport.

   5. Select Send encoded URL in outgoing assertion to specify that the identity router URL encodes the Relay State in the SAML response that the SP receives.

   6. Select Send PasswordProtectedTransport as AuthnContextClassRef in the SAML response if you want the identity provider to send AuthnContextClassRef in the SAML response as PasswordProtectedTransport. This indicates that the password exchange must use a secure transport method. When unselected, AuthnContextClassRef is sent as Password.

   7. Select For multivalued attributes, send each value in a separate attributeValue element if you want multivalued attributes to send each value in a separate attributeValue element. When unselected, values are separated by commas.

   8. Select Include Issuer NameID Format to override the default format of the SAML Issuer Entity ID, and then select one of the following formatting options:

      • Unspecified

      • Email Address

      • X.509 Subject Name

      • Windows Domain Qualified Name

      • Kerberos Principal Name

      • Entity Identifier

      • Transient Identifier

      • Persistent Identifier

   This step completes the optional, advanced Connection Profile settings for the SAML configuration. Do one of the following:

   • If you have completed all required steps in the configuration wizard as described in Add a SAML Application, perform the remaining steps in this procedure.

   • If you have not completed the required User Access or Portal Display pages of the wizard, return to step 10 in Add a SAML Application, and complete the steps in that topic.

5. When you finish making changes, and no other changes are required on other pages, go to the last page of the wizard and click Save and Finish.

6. (Optional) To publish this configuration and immediately activate it on the identity router, click Publish Changes.