We have configured our NAM3.2.2 to use SAML2 to federate with another
IDP (ADFS), in this set up we are the service provider. Currently we use
email address as matching criteria. The remote IDP send us their user’s
email address and NAM match that to the email address of local user in
Now our customer wanted to add more restriction in addition to just
email address. In our AD, we have 2 sets of users, one set has a
customized attribute with a constant value “federated”, indicating that
user with such attribute can be federated; User without that attribute
of the attribute value is not “federated” shall not get authenticated
even is the account has a matching email address from trusted IDP. As
this is something internal, we cannot depends on trusted IDP to pass in
that value, they still only pass in email address.
I tried to edit user matching expression to add this 2nd criteria but
was not able to do so.
Please let me know if this is doable and how.

mxu1386's Profile: https://forums.netiq.com/member.php?userid=1361
View this thread: https://forums.netiq.com/showthread.php?t=52638