Federation Manager Guide › Federation Partnerships › Application Integration › Dynamic Provisioning of a User Identity at the Relying Party › Local Account Linking Configuration (SAML 2.0)

Local Account Linking Configuration (SAML 2.0)

Implementing the local account linking method of provisioning requires configuration at the Identity Provider and Service Provider.

To configure local account linking at the Identity Provider

1. Access the Partnership wizard and navigate to the Name Id and Attributes step in the Partnership wizard.
2. Configure the required fields in the Name ID group box.

   In these fields is where you determine the attribute used for the NameID in the assertion.

   Note: You can click Help for a description of fields, controls, and their respective requirements.

3. Select the Allow Creation of User Identifier check box.
4. Select the Confirm step the Partnership wizard and click Finish to save your changes.

Configuration at the Identity Provider is complete.

To configure local account linking at the Service Provider

1. Access the Partnership wizard and navigate to the User Identification step.
2. In the Choose Identity Attribute from Assertion group box:
   • Select NameID as the attribute from the assertion used for identification.
   • Select Allow IDP to create user identifier.
3. Enter a value for the Search Specification field.

   The Search Specification value is the attribute Federation Manager uses to look up the user and to store the persistent identifier sent from the IdP. For example, if buyerID should store the value of the NameID, set the string to buyerID=%s.

4. Navigate to the Application Integration step.
5. Select Local Account Linking for the Provisioning Type field in the User Provisioning section of the dialog.

   Selecting this option automatically configures the User Not Found URL to the linkaccount.jsp page with a method of POST. This URL is where Federation Manager redirects the user after the first failed authentication attempt.

6. (Optional) Customize the linkaccount.jsp file to provide a custom user experience when the user is redirected after a failed authentication attempt. This file must POST the accountlinking and samlresponse parameters back to the Assertion Consumer Service. The accountlinking parameter must be set to yes. The page is in federation_mgr_home/secure-proxy/Tomcat/webapps/affwebservices/public.
7. Select the Confirm step in the Partnership wizard and click Finish to save your changes.