Linking Identities Automatically with Auto-Federation
AM lets you configure the service provider to automatically link identities based on an attribute value in the assertion returned from the identity provider, known as auto-federation.
When you know the user accounts on both the identity provider and the service provider share a common attribute value, such as an email address or other unique user identifier, you can configure AM to map the attributes to each other, and link identities, without the user having to authenticate to the SP.
This procedure demonstrates how to automatically link identities based on an attribute value that is the same in both accounts.
Before attempting to configure auto-federation, ensure that you have configured AM for SAML v2.0, created the identity and service providers, and configured a circle of trust. You must also have configured AM to support single sign-on. For information on performing those tasks, see Deployment Considerations and Implementing SSO and SLO.
Perform the following steps on the hosted IDP(s), and again on the hosted SP(s):
Go to Realms > Realm Name > Applications > Federation > Entity Providers, and click on the name of the hosted provider.
On the hosted IDP:
Go to the Assertion Processing tab.
Review the Attribute Map configuration. If the attributes you want to use to link the accounts on the IDP and the SP are not in the map already, add them.
The IDP will send these attributes in the assertion, and the SP will then map them using its own attribute map.
The user profile attributes used here must both be allowed in user profiles, and also be specified for the identity repository. See "Adding User Profile Attributes", for instructions on allowing additional attributes in user profiles.
To see the profile attributes available for an LDAP identity repository, log in to the AM console, and go to Realms > Realm Name > Identity Stores > User Configuration. Check the LDAP User Attributes list.
The default IDP mapping implementation allows you to add static values in addition to values taken from the user profile. You add a static value by enclosing the profile attribute name in double quotes ("), as in the following example:
Save your work.
On the hosted SP:
Go to the Assertion Processing tab.
Review the Attribute Map configuration, and ensure that the attribute mappings you created on the IDP are represented in the map.
The value of Key is a SAML attribute sent in an assertion, and the value of Value is a property in the user's session, or an attribute of the user's profile.
By default, the SP maps the SAML attributes it receives to equivalent-named session properties. However, when the SP is configured to create identities during autofederation and the identity does not exist yet, the SP maps the SAML attributes to their equivalents in the newly-created user profile.
The special mapping
Key: *, Value: *
means that the SP maps each attribute it receives in the assertion to equivalent-named properties or attributes. For example, if the SP receivesmail
andfirstname
in the assertion, it maps them tomail
andfirstname
respectively.Remove the special mapping and add key pairs to the map if:
(During autofederation) The attributes in the IdP's and the SP's identity stores do not match.
You need control over the names of the session properties.
You need control over which attributes the SP should map, because the IdP adds too many to the assertion.
For example, if the the SAML attribute is
firstname
and you want the SP to map it to a session property/user profile attribute calledcn
, create a mapping similar toKey: firstname, Value: cn
.Enable Auto Federation. In the Attribute property, enter the SAML attribute name that the SP will use to link accounts, as configured in the Attribute Map.
Save your work.
To test your work, initiate single sign-on; for example, as described in "IDP-Initiated SSO JSP".
Authenticate to the IDP as the
demo
user. Attempt to access the SP, and you will notice that the user has a session, and can access their profile page on the SP without having to authenticate again.