Federation Manager Guide › Federation Manager Introduction › Federation in Your Enterprise › User Identification Across the Partnership › Identity Mapping to Establish a Federated Identity

Identity Mapping to Establish a Federated Identity

When an investor at Financepro authenticates and clicks a link to access information at BankLtd, he is taken directly to the accounts area of BankLtd's web site without having to sign on.

BankLtd maintains user identities for all customers at Financepro, but the identities are different than those at FinancePro. For example, at FinancePro, there is a customer identified as JohnDoe. This same customer is identified at BankLtd as DoeJ. Regardless, access to sensitive portions of the BankLtd web site must be controlled. To establish the federated identity, the partners agree on an attribute to be used that can map to the appropriate identity for a single customer at either site.

The partners agree on which attribute to use during an out-of-band exchange of information, meaning that the agreement is not part of any communication in any message over a channel. For this example, the agreed upon attribute is a certified financial planner license number, referred to as the CFPNum in each user store.

When a customer tries accessing the federated resource at BankLtd, this triggers the single sign-on process. The assertion generated at FinancePro contains the CFPNum attribute. When BankLtd receives the assertion, an application at its site has to perform the user disambiguation process based on the attribute to determine which profile identity should be used for the request.

The following figure shows how the same users are identified differently at each partner.

Federation Manager lets you configure identity mapping as part of the partnership configuration process. As part of the NameID and attribute configuration, you define an assertion attribute called CFPID and associate this with the user attribute CFPNum, which is the name of the attribute in each partner's user store.

Federation Manager includes the attribute in the assertion. When the assertion is received by BankLtd, the user disambiguation process at BankLtd can link the attribute in the assertion to the appropriate record in its user store.