Show TOC

Procedure documentationConfiguring Identity Federation with Persistent Pseudonyms Locate this document in the navigation structure

 

Use this procedure to enable identity federation when no previous linking between the accounts exists. Interactive account linking and automatic account creation enable users to federate their accounts during authentication. Both methods of identity federation use the persistent pseudonym name ID format to federate two accounts.

You can also use out-of-band account linking with persistent pseudonyms, but the linking must be established ahead of time.

For more information, see Configuring Out-of-Band Account Linking.

Prerequisites

You have trusted an identity provider.

For more information, see Trusting an Identity Provider.

Procedure

  1. Start the SAML 2.0 configuration application (transaction SAML2).

  2. On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.

  3. On the Identity Federation tab, choose the Add pushbutton.

  4. Select the name ID format Persistent.

  5. Enter Interactive account linking in the Federation Mode field.

    In this mode, if there is no pre existing federation, that is, if there is no user on the service provider with the same persistent name ID found, the service provider prompts the user to log on. When the user logs on, the service provider prompts the user to federate the accounts. If the user accepts, the service provider writes the persistent name ID from the user account on the identity provider to the user attribute configured for the persistent name ID on the service provider. If the user declines, the service provider logs the user on as usual, but does not federate the accounts.

    To enable the identity provider to create a persistent name ID if none exists for the user account on the identity provider, enter Yes in the Allow Identity Provider to Create NameID field. Otherwise if no persistent name ID exists for the user account on the identity provider, the service provider does not offer to federate the user.

    • Save your entries.

    • Configure the identity provider to provide the persistent name ID and any other attributes required by your configuration.

      For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.

    Example

    Donna Moore has recently configured her network to SAML 2.0. The users are still logging in to each system with a separate user ID and password. Donna has set up a new identity provider with all the users and assigned each one a persistent name ID. She has just upgraded her legacy systems to support SAML 2.0 as service providers. In each system she trusts the SAML 2.0 identity provider and requires the Persistent name ID format. Since all the users already know their passwords in each system, she enables interactive account linking. Whenever a user logs on to a system for the first time since conversion, the user enters his or her logon information and the service provider adds the persistent name ID from the identity provider to the local account. Donna does not need to go through the laborious process of adding the persistent ID to every account in every system. The users do it themselves.