PingFederate allows an SP to use either account linking or account mapping to associate remote users with local accounts for SSO between business partners (see Identity mapping). On the Identity Mapping screen, you choose which method to use in this IdP connection. You and your partner should decide in advance which option to use (see Federation planning checklist).

If your site is using account linking, then establishing an attribute contract is not required. Depending on your partner agreement, however, you may choose to supplement the account link with an attribute contract. In this configuration the account link is used to determine the user's identity, while the additional attributes might be used for authorization decisions, customized web pages, and so on, at the your site (see User attributes).

If you have previously set up a configuration to use an attribute contract and want to change the configuration to use account linking without additional attributes, then the existing attribute contract will be discarded.

Account linking can be used with either a clear, standard name identifier or an opaque pseudonym.

  • If you want to dynamically associate remote users with local accounts using a known attribute to identify a user (for example, a username or email address), select Account Mapping.
    Account mapping uses the user identifier (SAML_SUBJECT in a SAML assertion or sub in an ID token) and associated user attributes to create an association between a remote user and a local account.

    If you are using PingFederate's JIT provisioning, choose Account Mapping (see Configuring just-in-time provisioning).

  • If you want to create a long-term association between a remote user and a local account, select Account Linking.
    To set up an attribute contract to use in conjunction with account linking, select the ... includes attributes in addition to the unique name identifier check box.

    PingFederate uses a default, HSQLDB database to handle account linking. You can use your own database instead, as needed. For more information, see Defining an account-linking datastore.

  • If you have selected only the SP-initiated SSO profile and you intend to enforce additional authentication requirements by placing this IdP connection in an SP authentication policy, select No Mapping. Additionally, select No Mapping if you are deploying an IdP connection solely for OAuth attribute mapping without the use of an authentication policy contract (see Configuring IdP connection grant mapping).