PingAM 8.0.0

Link identities in bulk

If you manage both the IdP and SP, you can link accounts in bulk by using the ssoadm bulk federation commands.

Before you can run the bulk federation commands, first establish the relationship between accounts, set up the providers as described in Configure IdPs, SPs, and CoTs, and install the ssoadm tool. See Set up administration tools.

To understand the relationships between accounts, consider an example where the IdP is at www.idp.com and the SP is at www.sp.com. A test user account has the Universal ID id=bjensen,ou=user,dc=idp,dc=com on the IdP. This maps to the Universal ID id=bjensen,ou=user,dc=sp,dc=com on the SP.

The ssoadm command requires a file that maps local user IDs to remote user IDs, one per line, separated by the vertical bar (|) character. Each line of the file appears as follows:

local-user-ID|remote-user-ID

In the example, starting on the SP side, the line for the test user reads as follows:

id=bjensen,ou=user,dc=sp,dc=com|id=bjensen,ou=user,dc=idp,dc=com

All the user accounts mapped in your file must exist at the IdP and the SP when you run the commands to link them.

Link the accounts using the ssoadm bulk federation commands:

  1. Prepare the data with the ssoadm do-bulk-federation command.

    The following example starts on the SP side:

    $ cat /tmp/user-map.txt
id=bjensen,ou=user,dc=sp,dc=com\|id=bjensen,ou=user,dc=idp,dc=com
$ ssoadm do-bulk-federation \
  --metaalias /sp \
  --remoteentityid https://www.idp.com:8443/am \
  --useridmapping /tmp/user-map.txt \
  --nameidmapping /tmp/name-map.txt \
  --adminid uid=amAdmin,ou=People,dc=am,dc=example,dc=com \
  --password-file /tmp/pwd.txt \
  --spec saml2
Bulk Federation for this host was completed.
To complete the federation, name Id mapping file should be loaded to remote provider.

  2. Copy the name ID mapping output file to the other provider:

    $ scp /tmp/name-map.txt openam@www.idp.com:/tmp/name-map.txt
openam@www.idp.com’s password: **
name-map.txt 100% 177 0.2KB/s 00:00

  3. Import the name ID mapping file with the ssoadm import-bulk-fed-data command.

    The following example is performed on the IdP side:

    $ ssoadm import-bulk-fed-data \
  --adminid uid=amAdmin,ou=People,dc=am,dc=example,dc=com \
  --password-file /tmp/pwd.txt \
  --metaalias /idp \
  --bulk-data-file /tmp/name-map.txt
Bulk Federation for this host was completed.

At this point the accounts are linked.