PingFederate Server

Choosing an identity mapping method for SP SSO

When configuring service provider (SP) single sign-on (SSO), PingFederate offers two methods of identity mapping you can choose from: account mapping or account linking.

About this task

PingFederate allows an SP to use either account linking or account mapping to associate remote users with local accounts for SSO between business partners. For more information, see Identity mapping. On the Identity Mapping tab, you choose which method to use in this IdP connection. You and your partner should decide in advance which option to use. For more information, see Federation planning checklist.

If your site is using account linking, then establishing an attribute contract is not required. Depending on your partner agreement, you can choose to supplement the account link with an attribute contract. In this configuration the account link is used to determine the user’s identity, while the additional attributes might be used for authorization decisions, customized web pages, and so on, at the your site. For more information, see User attributes.

If you have previously set up a configuration to use an attribute contract and want to change the configuration to use account linking without additional attributes, then the existing attribute contract will be discarded.

Account linking can be used with either a clear, standard name identifier or an opaque pseudonym.

Steps

  1. Choose which identity mapping method to use in this IdP connection.

    Choose from:

    • If you want to dynamically associate remote users with local accounts using a known attribute to identify a user, such as a username or email address, select Account Mapping

      Account mapping uses the user identifier, SAML_SUBJECT in a SAML assertion or sub in an ID token, and associated user attributes to create an association between a remote user and a local account.

      If you are using PingFederate’s JIT provisioning, choose Account Mapping. For more information, see Configuring just-in-time provisioning.

    • If you want to create a long-term association between a remote user and a local account, select Account Linking

      Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment.

      Testing involving HSQLDB is not a valid test. In both testing and production, it might cause various problems due to its limitations and HSQLDB involved cases are not supported by Ping Identity.

    To set up an attribute contract to use in conjunction with account linking, select the …​ includes attributes in addition to the unique name identifier check box.

  2. If you have selected only the SP-initiated SSO profile and you intend to enforce additional authentication requirements by placing this IdP connection in an SP authentication policy, select No Mapping.

  3. Additionally, select No Mapping if you are deploying an IdP connection solely for OAuth attribute mapping without the use of an authentication policy contract. For more information, see Configuring IdP connection grant mapping.