---
title: Choosing an identity mapping method for SP SSO
description: "When configuring service provider (SP) single sign-on (SSO), PingFederate offers two methods of identity mapping you can choose from: account mapping or account linking."
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:help_usersessioncreationtasklet_selectidpaccountlinkingstate
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/help_usersessioncreationtasklet_selectidpaccountlinkingstate.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: July 5, 2022
section_ids:
  about-this-task: About this task
  steps: Steps
  choose-from: Choose from:
---

# Choosing an identity mapping method for SP SSO

When configuring service provider (SP) single sign-on (SSO), PingFederate offers two methods of identity mapping you can choose from: account mapping or account linking.

## About this task

PingFederate allows an SP to use either account linking or account mapping to associate remote users with local accounts for SSO between business partners. For more information, see [Identity mapping](../introduction_to_pingfederate/pf_ident_mapp.html). On the **Identity Mapping** tab, you choose which method to use in this IdP connection. You and your partner should decide in advance which option to use. For more information, see [Federation planning checklist](../introduction_to_pingfederate/pf_fed_plan_checklist.html).

If your site is using account linking, then establishing an attribute contract is not required. Depending on your partner agreement, you can choose to supplement the account link with an attribute contract. In this configuration the account link is used to determine the user's identity, while the additional attributes might be used for authorization decisions, customized web pages, and so on, at the your site. For more information, see [User attributes](../introduction_to_pingfederate/pf_user_attrib.html).

|   |                                                                                                                                                                                                                               |
| - | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | If you have previously set up a configuration to use an attribute contract and want to change the configuration to use account linking without additional attributes, then the existing attribute contract will be discarded. |

Account linking can be used with either a clear, standard name identifier or an opaque pseudonym.

## Steps

1. Choose which identity mapping method to use in this IdP connection.

   ### Choose from:

   * If you want to dynamically associate remote users with local accounts using a known attribute to identify a user, such as a username or email address, select **Account Mapping**

     Account mapping uses the user identifier, `SAML_SUBJECT` in a SAML assertion or `sub` in an ID token, and associated user attributes to create an association between a remote user and a local account.

     |   |                                                                                                                                                                                                              |
     | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
     |   | If you are using PingFederate's JIT provisioning, choose **Account Mapping**. For more information, see [Configuring just-in-time provisioning](help_idpconnectionconfigtasklet_userprovisioningstate.html). |

   * If you want to create a long-term association between a remote user and a local account, select **Account Linking**

     |   |                                                                                                                                                                                                                                                                                                                                                                                                               |
     | - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
     |   | Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment.Testing involving HSQLDB is not a valid test. In both testing and production, it might cause various problems due to its limitations and HSQLDB involved cases are not supported by Ping Identity. |

   To set up an attribute contract to use in conjunction with account linking, select the **…​ includes attributes in addition to the unique name identifier** checkbox.

2. If you have selected only the SP-initiated SSO profile and you intend to enforce additional authentication requirements by placing this IdP connection in an SP authentication policy, select **No Mapping**.

3. Additionally, select **No Mapping** if you are deploying an IdP connection solely for OAuth attribute mapping without the use of an authentication policy contract. For more information, see [Configuring IdP connection grant mapping](help_idpbrowserssotasklet_oauthattributemappingstate.html).