12.10.3. Changing Federation of Persistently Linked Accounts -

OpenAM Administration Guide
12.10. Managing Federated Accounts

12.10.3. Changing Federation of Persistently Linked Accounts

OpenAM implements the SAML 2.0 Name Identifier Management profile, allowing you to change a persistent identifier that has been set to federate accounts, and also to terminate federation for an account.

When user accounts are stored in an LDAP directory server, name identifier information is stored on the sun-fm-saml2-nameid-info and sun-fm-saml2-nameid-infokey attributes of a user's entry.^[7] You can retrieve the name identifier value by checking the value of sun-fm-saml2-nameid-infokey.

For example, if the user's entry in the directory shows sun-fm-saml2-nameid-infokey: http://www.idp.example:8080/openam|http://www.sp.example:8080/openam| XyfFEsr6Vixbnt0BSqIglLFMGjR2, then the name identifier is XyfFEsr6Vixbnt0BSqIglLFMGjR2.

You can use this identifier to initiate a change request from the service provider as in the following example.

http://www.sp.example:8080/openam/saml2/jsp/spMNIRequestInit.jsp?
 idpEntityID=http%3A%2F%2Fwww.idp.example%3A8080%2Fopenam
 &metaAlias=/sp
 &requestType=NewID
 &IDPProvidedID=XyfFEsr6Vixbnt0BSqIglLFMGjR2

If desired, you can substitute openam/SPMniInit for openam/saml2/jsp/spMNIRequestInit.jsp

You can also initiate the change request from the identity provider as in the following example.

http://www.idp.example:8080/openam/saml2/jsp/idpMNIRequestInit.jsp?
 spEntityID=http%3A%2F%2Fwww.sp.example%3A8080%2Fopenam
 &metaAlias=/idp
 &requestType=NewID
 &SPProvidedID=XyfFEsr6Vixbnt0BSqIglLFMGjR2

If desired, you can substitute openam/IDPMniInit for openam/saml2/jsp/idpMNIRequestInit.jsp

idpMNIRequestInit.jsp Parameters

spEntityID

(Required) Use this parameter to indicate the remote service provider. Make sure you URL encode the value. For example, specify spEntityID=http://www.sp.example:8080/openam as spEntityID=http%3A%2F%2Fwww.sp.example%3A8080%2Fopenam.

metaAlias

(Required) Use this parameter to specify the local alias for the provider, such as metaAlias=/myRealm/idp. This parameter takes the format /realm-name/provider-name as described in MetaAlias. You do not repeat the slash for the top level realm, for example metaAlias=/idp.

requestType

(Required) Type of manage name ID request, either NewID to change the ID, or Terminate to remove the information that links the accounts on the identity provider and service provider.

SPProvidedID

(Required if requestType=NewID) Name identifier in use as described above.

affiliationID

(Optional) Use this parameter to specify a SAML affiliation identifier.

binding

(Optional) Use this parameter to indicate what binding to use for the operation. The full, long name format is required for this parameter to work.

The value must be one of the following.

urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST
urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect
urn:oasis:names:tc:SAML:2.0:bindings:SOAP

relayState

(Optional) Use this parameter to specify where to redirect the user when the process is complete. Make sure you URL encode the value. For example, relayState=http%3A%2F%2Fforgerock.com takes the user to http://forgerock.com.

spMNIRequestInit.jsp Parameters

idpEntityID

(Required) Use this parameter to indicate the remote identity provider. Make sure you URL encode the value. For example, specify idpEntityID=http://www.idp.example:8080/openam as idpEntityID=http%3A%2F%2Fwww.idp.example%3A8080%2Fopenam.