214 Novell Access Manager 3.1 SP1 Identity Server Guidenovdocx (en) 19 February 20105 Specify what action to take if no match is found. Do nothing: Specifies that an identity provider account is not matched with a serviceprovider account. This option allows the user to authenticate the session withoutidentifying a user account on the service provider.IMPORTANT: Do not select this option if the expected name format identifier ispersistent. A persistent name format identifier requires that the user be identified so thatinformation can be stored with that user. To support the Do nothing option and allowanonymous access, the authentication response must be configured for a transientidentifier format. To view the service provider configuration, see Section 5.4.6,“Configuring an Authentication Response for a Service Provider,” on page 162. Prompt user for authentication: Allows the user to specify the credentials for a user thatexists on the service provider. Sometimes users have accounts at both the identity providerand the service provider, but the accounts were created independently, use different names(for example, joe.smith and jsmith) and different passwords, and share no commonattributes except for the credentials known by the user. Provision account: Assumes that the user does not have an account at the serviceprovider and creates one for the user. You must create a provisioning method.6 Click OK.7 (Conditional) If you selected Provision account when no match is found, select the Provisionsettings icon. For information on this process, see Section 8.4, “Defining the User ProvisioningMethod,” on page 214.8 Click OK twice, then update the Identity Server.8.4 Defining the User Provisioning MethodIf you enabled Provision account when selecting an identification method, you must define the userprovisioning method. This procedure involves selecting required and optional attributes that theservice provider requests from the identity provider during provisioning.IMPORTANT: When a user object is created in the directory, some attributes are initially createdwith the value of NAM Generated. Afterwards, an attempt is made to write the required and optionalattributes to the new user object. Because required and optional attributes are profile attributes, thesystem checks the write policy for the profile’s Data Location Settings (specified in Liberty > WebService Provider) and writes the attribute in either LDAP or the configuration store. In order for theLDAP write to succeed, each attribute must be properly mapped as an LDAP Attribute.Additionally, you must enable the read/write permissions for each attribute in the Liberty/LDAPattribute maps. See Section 10.9, “Mapping LDAP and Liberty Attributes,” on page 235.To configure user provisioning:1 In the Administration Console, click Devices > Identity Servers > Servers > Edit > Liberty [orSAML 2.0] > [Identity Provider] > User Identification.If you have select Provision account as the user identification method or have created anattribute matching setting that allows for provisioning when no match is found, you need tocreate a provision method.2 Click the Provisioning settings icon.