If you manage both the identity provider and service provider, you can link accounts out-of-band, in bulk. You make permanent connections for a list of identity provider and service provider by using the ssoadm bulk federation commands.
Before you can run the bulk federation commands, first establish the relationship between accounts, set up the providers as described in Section 12.2, “Setting Up SAML 2.0 SSO”, and install the ssoadm command as described in To Set Up Administration Tools.
To understand the relationships between accounts, consider an example
where the identity provider is at idp.example.org and the
service provider is at sp.example.com. A demo user
account has the Universal ID,
id=demo,ou=user,dc=example,dc=org, on the identity
provider. That maps to the Universal ID,
id=demo,ou=user,dc=example,dc=com, on the service
provider.
The ssoadm command then needs a file that maps
local user IDs to remote user IDs, one per line, separated by the vertical
bar character |. Each line of the file appears as
follows.
local-user-ID|remote-user-ID
In the example, starting on the service provider side, the line for the demo user reads as follows.
id=demo,ou=user,dc=example,dc=com|id=demo,ou=user,dc=example,dc=org
All the users’ accounts mapped in your file must exist at the identity provider and the service provider when you run the commands to link them.
Link the accounts using the ssoadm bulk federation commands.
-
Prepare the data with the ssoadm do-bulk-federation command.
The following example starts on the service provider side.
$ cat /tmp/user-map.txt id=demo,ou=user,dc=example,dc=com|id=demo,ou=user,dc=example,dc=org $ ssoadm do-bulk-federation --metaalias /sp --remoteentityid http://idp.example.org:8080/openam --useridmapping /tmp/user-map.txt --nameidmapping /tmp/name-map.txt --adminid amadmin --password-file /tmp/pwd.txt --spec saml2 Bulk Federation for this host was completed. To complete the federation, name Id mapping file should be loaded to remote provider.
-
Copy the name ID mapping output file to the other provider.
$ scp /tmp/name-map.txt openam@idp.example.org:/tmp/name-map.txt openam@idp.example.org's password: name-map.txt 100% 177 0.2KB/s 00:00
-
Import the name ID mapping file with the ssoadm import-bulk-fed-data command.
The following example is performed on the identity provider side.
$ ssoadm import-bulk-fed-data --adminid amadmin --password-file /tmp/pwd.txt --metaalias /idp --bulk-data-file /tmp/name-map.txt Bulk Federation for this host was completed.
At this point the accounts are linked.
