When configuring service provider (SP) single sign-on (SSO), PingFederate offers two methods of identity mapping you can choose from: account mapping or account linking.
PingFederate allows an SP to use either account linking or account mapping to associate remote users with local accounts for SSO between business partners. For more information, see Identity mapping. On the Identity Mapping tab, you choose which method to use in this IdP connection. You and your partner should decide in advance which option to use. For more information, see Federation planning checklist.
If you have previously set up a configuration to use an attribute contract and want to change the configuration to use account linking without additional attributes, then the existing attribute contract will be discarded.
Account linking can be used with either a clear, standard name identifier or an opaque pseudonym.
Choose which identity mapping method to use in this IdP connection.
- If you want to dynamically associate remote users with local accounts using a
known attribute to identify a user, such as a username or email address, select
Account MappingAccount mapping uses the user identifier, SAML_SUBJECT in a SAML assertion or sub in an ID token, and associated user attributes to create an association between a remote user and a local account.Tip:
If you are using PingFederate's JIT provisioning, choose Account Mapping. For more information, see Configuring just-in-time provisioning.
- If you want to create a long-term association between a remote user and a
local account, select Account Linking
To set up an attribute contract to use in conjunction with account linking, select the ... includes attributes in addition to the unique name identifier check box.Tip:
PingFederate uses a default, HSQLDB database to handle account linking. You can use your own database instead, as needed. For more information, see Account-linking datastores.CAUTION:
Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment.
Testing involving HSQLDB is not a valid test. In both testing and production, it might cause various problems due to its limitations and HSQLDB involved cases are not supported by PingIdentity.
- If you want to dynamically associate remote users with local accounts using a known attribute to identify a user, such as a username or email address, select Account Mapping
- If you have selected only the SP-initiated SSO profile and you intend to enforce additional authentication requirements by placing this IdP connection in an SP authentication policy, select No Mapping.
- Additionally, select No Mapping if you are deploying an IdP connection solely for OAuth attribute mapping without the use of an authentication policy contract. For more information, see Configuring IdP connection grant mapping.