Context
This configuration is applicable for the federation type
Persistent
Users, but there are advanced
options,
such as interactive account linking and automatic account creation. Interactive account
linking and automatic account creation enable users to federate their accounts during
authentication.
You can also use out-of-band account linking with the
Persistent name ID format, but the linking must be established
ahead of time.
Procedure
- Start the SAML 2.0 configuration application (transaction
SAML2).
- On the Trusted Providers tab, select an identity provider
and choose the Edit pushbutton.
- On the Identity Federation tab, choose the
Add pushbutton.
- Select the name ID format Persistent.
- Select Interactive Account Linking for the
Account Federation field.
To enable the identity provider to create a persistent name ID if none exists for
the user account on the identity provider, enter
Yes in the
Allow Identity Provider to Create NameID field.
Otherwise,
if no persistent name ID exists for the user account on the identity provider, the
identity provider returns an error.
In this mode, if there is no pre-existing
federation, that is, if there is no user on the service provider federated with
this persistent name ID, the service provider prompts the user to log on. When the
user logs on, the service provider prompts the user to federate the accounts. If
the user accepts, the service provider federates the persistent name ID from the
assertion to the user ID on the service provider. If the user declines, the
service provider allows the user to log on as usual, but does not federate the
accounts.
- Configure the identity provider to provide the persistent name ID and any other
attributes required by your configuration.
- Save your entries.
For more information about configuring an identity provider, see the documentation
supplied by the identity provider vendor.
Example
Donna Moore has recently configured her landscape to SAML 2.0. The users are still
logging into each system with a separate user ID and password. Donna has set up a new
identity provider with all the users and assigned each one a persistent name ID. She has
just upgraded her legacy systems to support SAML 2.0 as service providers. In each system
she trusts the SAML 2.0 identity provider and requires the
Persistent name ID format. Since all the users already know their
passwords in each system, she enables interactive account linking. Whenever a user logs on
to a system for the first time since conversion, the user enters his or her logon
information and the service provider adds the persistent name ID from the identity provider
to the local account. Donna does not need to go through the laborious process of adding the
persistent ID to every account in every system. The users do it themselves.