Link identities for authentication
IdPs and SPs must be able to communicate information about users. Sometimes the IdP chooses to share a minimum amount of information about an authenticated user.
For example, the IdP can return a generated, opaque NameID that can’t directly be used
to locate an identity in the SP identity store.
AM can use these pseudonym identifiers to establish links between otherwise unrelated accounts, by requiring that the user authenticates to the SP using a linking authentication mechanism.
First authentication to the SP
The following list describes the sequence of events that occurs the first time a user attempts to authenticate to the AM SP:
-
Accessing the SP.
A user attempts to access a service and is redirected to the AM server acting as the SP.
The redirect URL specifies an authentication tree containing the SAML2 Authentication node. For example,
https://www.sp.com:8443/am/XUI/#login/&service=spSAMLTree. -
Authentication at the IdP.
AM redirects the user to the IdP. The user authenticates successfully at the IdP. The IdP returns a SAML assertion to the SP.
-
SP attempts to access a federated identity.
AM attempts to locate the identity in its own user store. No link between the IdP identity and a local one is found.
-
Invocation of the linking authentication node(s).
Because no link is found, AM follows the route through the authentication tree that lets the user authenticate on the SP.
-
Identity federation.
After successful authentication at the SP, AM writes the name ID from the assertion into the local user’s profile, creating a permanent link between the two identities.
Find information on creating permanent links between identities in Persistent or transient federation.
Find an example of an authentication tree that links identities in SSO and SLO in Integrated Mode.
Subsequent authentications to the SP
The following list describes the sequence of events that occurs during subsequent authentication attempts, after the user’s identities on the IdP and SP have been federated:
-
Accessing the SP.
A returning user attempts to access their service and is redirected to the AM server acting as the SP.
Their login URL specifies the authentication tree containing the SAML2 Authentication node and the Write Federation Information node. For example,
https://www.sp.com:8443/am/XUI/#login/&service=spSAMLTree. -
Authentication at the IdP.
AM redirects the user to the IdP, and the user authenticates successfully at the IdP. The IdP returns a SAML assertion to the SP.
-
SP attempts to access a federated identity.
AM attempts to locate the name ID in its user store. The search for the name ID succeeds.
Because there’s a match, the user doesn’t need to log in to the SP and can access the service.
Configure authentication mechanisms to link accounts
If you aren’t using auto-federation, configure AM to link accounts in one of the following ways, depending on whether AM is standalone or part of an integrated Ping Identity Platform deployment.
Link accounts persistently (standalone AM)
Configure a tree similar to the following:
-
Add a SAML2 Authentication node.
Integrated mode is SP SSO-initiated only. SLO isn’t supported.
Make sure that the NameID Format specified is
persistent.The node processes the assertion, makes its contents available to the authentication tree’s state in the
userInfoobject, and tries to map the assertion’s nameID using theuidmapping in the SP’s assertion map.If the node finds a match, the tree continues through the
Account Existsoutput. Otherwise, the tree continues through theNo Account Existsoutput. -
On the
No Account Existsoutcome, configure nodes to authenticate the user to the SP.
Link accounts persistently (Ping Identity Platform deployment)
Configure a journey similar to the following:
-
Add a SAML2 Authentication node.
Integrated mode is SP SSO-initiated only. SLO isn’t supported.
Make sure that the NameID Format specified is
persistent.The node processes the assertion, makes its contents available to the authentication tree’s state in the
userInfoobject, and tries to map the assertion’s nameID using theuidmapping in the SP’s assertion map.If the node finds a match, the tree continues through the
Account Existsoutput. Otherwise, the tree continues through theNo Account Existsoutput.Note that the attribute the node uses to map the nameID isn’t configurable, and this example adds nodes to process the
userInfoobject and match its contents to the managed user’s schema instead. -
Add a Scripted Decision node to copy the information from the assertion to the authentication tree’s shared state.
Example script
-
Next-generation
-
Legacy
if (nodeState.get("userInfo")) { if (nodeState.get("objectAttributes")) { nodeState.remove("objectAttributes"); } var userName=null,sn=null,mail=null; try { var attribs = nodeState.get("userInfo")["attributes"]; userName=attribs["uid"][0]; sn=attribs["sn"][0]; mail=attribs["mail"][0]; } catch (e) { logger.error("Error getting userInfo: " + e); } nodeState.putShared("objectAttributes", {"userName":userName,"sn":sn,"mail":mail}); } action.goTo("true");var fr = JavaImporter(org.forgerock.openam.auth.node.api.Action); if (nodeState.get("userInfo")) { if (nodeState.get("objectAttributes")) { nodeState.remove("objectAttributes"); } var userName=null,sn=null,mail=null; try { var attribs = nodeState.get("userInfo").get("attributes"); userName=attribs.get("uid").get(0).asString(); sn=attribs.get("sn").get(0).asString(); mail=attribs.get("mail").get(0).asString(); } catch (e) { logger.error("Error getting userInfo: " + e); } nodeState.putShared("objectAttributes", {"userName":userName,"sn":sn,"mail":mail}); } action = fr.Action.goTo("true").build();For more information, see Scripted Decision node API.
-
-
Add an Identify Existing User node to search the user with the appropriate attribute.
For example,
userName. -
Authenticate the user to the SP.
-
Add the Write Federation Information node to the successful outcome of the authentication process to create the link between the accounts.
If a transient link exists, it is converted into a persistent one.