--- title: Link identities in bulk description: If you manage both the IdP and SP, you can link accounts in bulk by using the ssoadm bulk federation commands. component: pingam version: 8 page_id: pingam:am-saml2:bulk-federation canonical_url: https://docs.pingidentity.com/pingam/8/am-saml2/bulk-federation.html keywords: ["SAML 2.0", "Single Sign-on (SSO)", "Federation"] page_aliases: ["saml2-guide:bulk-federation.adoc"] --- # Link identities in bulk If you manage both the IdP and SP, you can link accounts in bulk by using the `ssoadm` bulk federation commands. Before you can run the bulk federation commands, first establish the relationship between accounts, set up the providers as described in [Configure IdPs, SPs, and CoTs](saml2-providers-and-cots.html), and install the `ssoadm` tool. See [Set up administration tools](../installation/install-openam-admin-tools.html). To understand the relationships between accounts, consider an example where the IdP is at `www.idp.com` and the SP is at `www.sp.com`. A test user account has the Universal ID `id=bjensen,ou=user,dc=idp,dc=com` on the IdP. This maps to the Universal ID `id=bjensen,ou=user,dc=sp,dc=com` on the SP. The `ssoadm` command requires a file that maps local user IDs to remote user IDs, one per line, separated by the vertical bar (`|`) character. Each line of the file appears as follows: ``` local-user-ID|remote-user-ID ``` In the example, starting on the SP side, the line for the test user reads as follows: ``` id=bjensen,ou=user,dc=sp,dc=com|id=bjensen,ou=user,dc=idp,dc=com ``` All the user accounts mapped in your file must exist at the IdP and the SP when you run the commands to link them. Link the accounts using the `ssoadm` bulk federation commands: 1. Prepare the data with the `ssoadm do-bulk-federation` command. The following example starts on the SP side: ```bash $ cat /tmp/user-map.txt id=bjensen,ou=user,dc=sp,dc=com\|id=bjensen,ou=user,dc=idp,dc=com $ ssoadm do-bulk-federation \ --metaalias /sp \ --remoteentityid https://www.idp.com:8443/am \ --useridmapping /tmp/user-map.txt \ --nameidmapping /tmp/name-map.txt \ --adminid uid=amAdmin,ou=People,dc=am,dc=example,dc=com \ --password-file /tmp/pwd.txt \ --spec saml2 Bulk Federation for this host was completed. To complete the federation, name Id mapping file should be loaded to remote provider. ``` 2. Copy the name ID mapping output file to the other provider: ```bash $ scp /tmp/name-map.txt openam@www.idp.com:/tmp/name-map.txt openam@www.idp.com's password: ** name-map.txt 100% 177 0.2KB/s 00:00 ``` 3. Import the name ID mapping file with the `ssoadm import-bulk-fed-data` command. The following example is performed on the IdP side: ```bash $ ssoadm import-bulk-fed-data \ --adminid uid=amAdmin,ou=People,dc=am,dc=example,dc=com \ --password-file /tmp/pwd.txt \ --metaalias /idp \ --bulk-data-file /tmp/name-map.txt Bulk Federation for this host was completed. ``` At this point the accounts are linked.