Access Management 7.2.2

Link identities to a single, shared account

You temporarily map identities on the identity provider to a single account on the service provider; for example, the anonymous account, in order to exchange attributes about the user without a user-specific account on the service provider.

This approach can be useful when the service provider either needs no user-specific account to provide a service, or when you don’t want to create or retain identity data on the service provider, but instead you make authorization decisions based on attribute values from the identity provider.

The following steps demonstrate how to auto-federate using a single user account on the service provider.

Before attempting these steps, ensure that you have configured AM for SAML v2.0, created the identity and service providers, and configured a circle of trust. You must also have configured AM to support single sign-on. For information on performing those tasks, see Deployment considerations and Implement SSO and SLO.

  1. On the hosted identity provider:

    • In the AM admin UI, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted Identity Provider Name.

    • On the Assertion Processing tab, if the attributes you want to access from the SP are not yet included in the Attribute Map property, add the attribute mappings.

      Enter attribute map values using the following format: SAML Attribute Name=Profile Attribute Name.

    • Save your work.

  2. On the hosted service provider:

    • In the AM admin UI, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted Service Provider Name.

    • On the Assertion Processing tab, if the attributes you want to access from the IDP are not yet included in the Attribute Map property, add the attribute mappings.

      Enter attribute map values using the following format: SAML Attribute Name=Profile Attribute Name.

      You can use a special wildcard mapping of *=*, which maps each attribute in the assertion to an identically named attribute on the SP, using the relevant value.

    • Ensure that the Auto Federation property is not selected.

    • In the Transient User field, add the account name AM will use to link all identities from the IDP, for example; anonymous.

    • Save your work.

  3. To test your work:

    • Create a new user on the identity provider, including values for any attributes you mapped in the providers.

    • Log out of the AM admin UI, and initiate SSO using transient federation; for example, as described in To Enable Transient Federation.

    • Authenticate to the IDP as the new user you created.

    • After successfully authenticating to the IDP, check that the identity is linked to a transient account by performing the following steps:

      • In a separate browser or private window, log in to the AM admin UI of the SP.

      • Go to Realms > Realm Name > Sessions.

      • Enter the transient user name you configured earlier; for example, anonymous.

        You will see one or more sessions of users who have initiated single sign-on and been temporarily linked to the transient user account.

Copyright © 2010-2024 ForgeRock, all rights reserved.