You can use the NameID of a subject in an Assertion as the login ID to create a user account for the subject in System Manager. If the system encrypts the NameID, R-IDP must include the attributes of authenticated subject such as uid and email. in the Assertion. The system uses the attributes to create a user account in System Manager. If the Assertion does not contain attributes, the R-IDP must act as an Attribute Authority. In System Manager, you require an account for RBAC.

Assertions must be signed and not encrypted.

The system uses assertions from trusted sources only. An administrator must setup SSL trust between System Manager and R-IDP by adding the CA certificate of R-IDP’s Web server certificate into the CA truststore in System Manager.

Condition statement in an Assertion can have multiple AudienceRestriction statements. The condition statement must have SAML entity ID of System Manager as one of the AudienceRestriction.