Account linking provides a means for a user to log on to disparate sites with just one authentication, when the user has established accounts and credentials at each site. This method of effectively interconnecting accounts across domains is supported by all protocols.

Account linking involves a persistent name identifier associated with accounts at each participating site. The name identifier, which may be an opaque pseudonym, is conveyed in the assertion. Once established locally, the SP can use the account link to look up the user and provide access without re-authentication.

Account linking

Processing steps

  1. David Smith logs on to Site A as davidsmith. He then decides to access his account on Site B via Site A.
  2. Optionally, the federation server looks up additional attributes from the datastore.
  3. The Site A federation server sends a persistent name identifier (possibly a pseudonym) to Site B, along with any other attributes.

    If a pseudonym is used and other attributes are sent, care must be taken not to send attributes that could be used to identify the subject.

  4. The federation server on Site B uses the information to associate the pseudonym with the existing account of dsmith. (Optionally, David is asked to provide consent to the linking.)

    Once the link has been established, it is stored so that David only has to log on to Site A to have access to Site B.