Link identities to a single, shared account
Identity Cloud lets you map identities on the IDP temporarily to a single account on the SP;
for example, the anonymous
account, in order to exchange attributes about the user
without a user-specific account on the SP.
This approach is useful when the SP needs no user-specific account to provide a service or when you do not want to create or retain identity data on the SP, but you must make authorization decisions based on attribute values from the IDP.
Link identities to a single SP account
Before you configure identities to link to a single account, ensure you:
-
Configure Identity Cloud for SAML 2.0.
-
Create the IDP.
-
If Identity Cloud is the IDP, use the Identity Cloud admin UI with application management.
-
-
Create SPs.
-
Configure a circle of trust (CoT).
-
Configure Identity Cloud to support SSO.
Perform the following steps:
-
On the hosted IDP:
-
In the AM admin UI, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted IDP Name.
-
On the Assertion Processing tab, if the attributes you want to access from the SP are not included in the Attribute Map property, add the attribute mappings.
Enter attribute map values using the following format:
SAML Attribute Name=Profile Attribute Name
. -
Save your work.
-
-
On the hosted SP:
-
In the AM admin UI, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted SP Name.
-
On the Assertion Processing tab, if the attributes you want to access from the IDP are not included in the Attribute Map property, add the attribute mappings.
Enter attribute map values using the following format:
SAML Attribute Name=Profile Attribute Name
.You can use a special wildcard mapping of
*=*
, which maps each attribute in the assertion to an identically named attribute on the SP using the relevant value. -
In the Auto Federation section, ensure that Enabled is not selected.
-
In the Account Mapper > Transient User property, add the account name Identity Cloud will use to link all identities from the IDP, for example;
anonymous
. -
Save your work.
-
-
To test your work:
-
Create a new user on the IDP, including values for any attributes you mapped in the providers.
-
Log out of the AM admin UI, and initiate SSO using transient federation; for example, as described in Enable transient federation.
-
Authenticate to the IDP as the new user you created.
-
After successfully authenticating to the IDP, check that the identity is linked to a transient account by performing the following steps:
-
In a separate browser or private window, log in to the AM admin UI of the SP.
-
Go to Realms > Realm Name > Sessions.
-
Enter the transient user name you configured earlier; for example,
anonymous
.The sessions of users who initiated SSO and who are temporarily linked to the transient user account display.
-
-