OpenAM lets you configure the service provider to link an account based on an attribute value from the identity provider. When you know the user accounts on both the identity provider and the service provider share a common attribute value, such as an email address or other unique user identifier, you can use this method to link accounts without user interaction. See Procedure 12.13, “To Auto-Federate Accounts Based on an Attribute Value”.
OpenAM also lets you map users on the identity provider temporarily to a single anonymous user account on the service provider, in order to exchange attributes about the user without a user-specific account on the service provider. This approach can be useful when the service provider either needs no user-specific account to provide a service, or when you do not want to retain a user profile on the service provider but instead you make authorization decisions based on attribute values from the identity provider. See Procedure 12.14, “To Auto-Federate Using a Single Service Provider Account”.
OpenAM further allows you to use attributes from the identity provider to create accounts dynamically on the service provider. When using this method, you should inform the user and obtain consent to create the account if necessary. See Procedure 12.15, “To Auto-Federate With Dynamic Service Provider Account Creation”.
Procedure 12.13. To Auto-Federate Accounts Based on an Attribute Value
The following steps demonstrate how to auto-federate accounts based on an attribute value that is the same in both accounts.
Perform the following steps on the hosted identity provider(s), and again on the hosted service provider(s).
-
Login to the OpenAM console as administrator.
-
Browse to Federation >
hosted-provider-name> Assertion Processing. -
If the attribute to use for auto-federation is not yet in the attribute map, add the attribute mapping, and then Save your work.
-
On the hosted service provider, under Auto Federation, select Enabled and enter the local attribute name in the Attribute field, and then Save your work.
Procedure 12.14. To Auto-Federate Using a Single Service Provider Account
The following steps demonstrate how to auto-federate using a single anonymous user account on the service provider.
Perform the following steps on the hosted identity provider(s), and again on the hosted service provider(s).
-
Login to the OpenAM console as administrator.
-
Browse to Federation >
hosted-provider-name> Assertion Processing. -
If you want to get attributes from the identity provider and the attributes are is not yet in the attribute map, add the attribute mapping, and then Save your work.
-
On the hosted service provider, under Transient User, set the single account to which to map all users, such as
anonymous, and then Save your work. -
After completing configuration on the providers, use transient identifiers to federate as described in Section 12.10.1, “Using Transient Federation Identifiers”.
Procedure 12.15. To Auto-Federate With Dynamic Service Provider Account Creation
The following steps demonstrate how to auto-federate, dynamically creating an account on the service provider if necessary.
-
Set up auto-federation as described in Procedure 12.13, “To Auto-Federate Accounts Based on an Attribute Value”. The attributes you map from the identity provider are those that the service provider sets on the dynamically created accounts.
-
On the service provider console, browse to Access Control >
realm-name> Authentication > All Core Settings..., and Dynamic or Dynamic with User Alias, which are described in Hints For the Core Authentication Module, and then Save your work. -
To test your work, create a user on the identity provider, log out of the console, and initiate SSO logging in as the user you created.
To initiate SSO, browse to one of the OpenAM SAML 2.0 JSPs with the appropriate query parameters. The following is an example URL for service provider initiated SSO.
http://www.sp.example:8080/openam/saml2/jsp/spSSOInit.jsp? idpEntityID=http%3A%2F%2Fwww.idp.example%3A8080%2Fopenam &metaAlias=/sp
On success, check
http://www.sp.example:8080/openam/idm/EndUserto see the new user account.
