PingOne Advanced Identity Cloud

Link identities to a single, shared account

PingOne Advanced Identity Cloud lets you map identities on the IdP temporarily to a single account on the SP (for example, the anonymous account). This lets you exchange attributes about the user without a user-specific account on the SP.

This approach is useful when the SP doesn’t need a user-specific account to provide a service, or when you don’t want to create or retain identity data on the SP, but you must make authorization decisions based on attribute values from the IdP.

Before you configure identities to link to a single account, ensure you:

  • Configure PingOne Advanced Identity Cloud for SAML 2.0.

  • Create the IdP.

    • If PingOne Advanced Identity Cloud is the IdP, use the Advanced Identity Cloud admin UI with application management.

  • Create SPs.

  • Configure a circle of trust (CoT).

  • Configure PingOne Advanced Identity Cloud to support SSO.

Perform the following steps:

  1. On the hosted IdP:

    • Under Native Consoles > Access Management, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted IDP Name.

    • On the Assertion Processing tab, if the attributes you want to access from the SP aren’t included in the Attribute Map property, add the attribute mappings.

      Enter attribute map values using the following format: SAML Attribute Name=Profile Attribute Name.

    • Save your work.

  2. On the hosted SP:

    • Under Native Consoles > Access Management, go to Realms > Realm Name > Applications > Federation > Entity Providers > Hosted SP Name.

    • On the Assertion Processing tab, if the attributes you want to access from the IdP are not included in the Attribute Map property, add the attribute mappings.

      Enter attribute map values using the following format: SAML Attribute Name=Profile Attribute Name.

      You can use a special wildcard mapping of *=*, which maps each attribute in the assertion to an identically named attribute on the SP using the relevant value.

    • In the Auto Federation section, ensure that Enabled is not selected.

    • In the Account Mapper > Transient User property, add the account name PingOne Advanced Identity Cloud will use to link all identities from the IdP, for example; anonymous.

    • Save your work.

  3. To test your work:

    • Create a new user on the IdP, including values for any attributes you mapped in the providers.

    • Log out of the UI and initiate SSO using transient federation; for example, as described in Enable transient federation.

    • Authenticate to the IdP as the new user you created.

    • After successfully authenticating to the IdP, check that the identity is linked to a transient account by performing the following steps:

      • In a separate browser or private window, log in to the UI of the SP.

      • Go to Realms > Realm Name > Sessions.

      • Enter the transient username you configured earlier; for example, anonymous.

        The sessions of users who initiated SSO and who are temporarily linked to the transient user account display.

Copyright © 2010-2024 ForgeRock, all rights reserved.