Show TOC

Configuring Identity Federation with Persistent Name ID FormatLocate this document in the navigation structure

Prerequisites

You have trusted an identity provider.

For more information, see Trusting an Identity Provider.

Context

This configuration is applicable for the federation type Persistent Users, but there are advanced options, such as interactive account linking and automatic account creation. Interactive account linking and automatic account creation enable users to federate their accounts during authentication.

You can also use out-of-band account linking with the Persistent name ID format, but the linking must be established ahead of time.

Procedure

  1. Start the SAML 2.0 configuration application (transaction SAML2).
  2. On the Trusted Providers tab, select an identity provider and choose the Edit pushbutton.
  3. On the Identity Federation tab, choose the Add pushbutton.
  4. Select the name ID format Persistent.
  5. Select Interactive Account Linking for the Account Federation field.
    To enable the identity provider to create a persistent name ID if none exists for the user account on the identity provider, enter Yes in the Allow Identity Provider to Create NameID field. Otherwise, if no persistent name ID exists for the user account on the identity provider, the identity provider returns an error.

    In this mode, if there is no pre-existing federation, that is, if there is no user on the service provider federated with this persistent name ID, the service provider prompts the user to log on. When the user logs on, the service provider prompts the user to federate the accounts. If the user accepts, the service provider federates the persistent name ID from the assertion to the user ID on the service provider. If the user declines, the service provider allows the user to log on as usual, but does not federate the accounts.

  6. Configure the identity provider to provide the persistent name ID and any other attributes required by your configuration.
  7. Save your entries.
    For more information about configuring an identity provider, see the documentation supplied by the identity provider vendor.

Example

Donna Moore has recently configured her landscape to SAML 2.0. The users are still logging into each system with a separate user ID and password. Donna has set up a new identity provider with all the users and assigned each one a persistent name ID. She has just upgraded her legacy systems to support SAML 2.0 as service providers. In each system she trusts the SAML 2.0 identity provider and requires the Persistent name ID format. Since all the users already know their passwords in each system, she enables interactive account linking. Whenever a user logs on to a system for the first time since conversion, the user enters his or her logon information and the service provider adds the persistent name ID from the identity provider to the local account. Donna does not need to go through the laborious process of adding the persistent ID to every account in every system. The users do it themselves.
Related Information