Account linking uses the SAML assertion to create a persistent association between these distinct user accounts. The account link, or name identifier, such as an email address or identity provider (IdP)-generated pseudonym, identifies individual users. When privacy is a concern, use pseudonyms because they prevent tracing back to a user's identity at the partner site.

During the user's first SSO request, the service provider (SP) prompts for local credentials, which enables the SP to link the name identifier contained within the assertion—either an open attribute or a pseudonym—with the user's local account. Subsequent SSO events will not prompt the user to authenticate with the SP because the SP federation server keeps a table associating remote users' name identifiers with local user accounts. The SP associates the link to the user's corresponding local account and provides access to the account without separate authentication.

Tip:

PingFederate in the SP role uses a default, HSQLDB database to handle account linking. You can use your own datastore instead, as needed. For more information, see Account-linking datastores.

CAUTION:

Use the built-in HSQLDB only for trial or training environments. For testing and production environments, always use a secured external storage solution for proper functioning in a clustered environment.

Testing involving HSQLDB is not a valid test. In both testing and production, it might cause various problems due to its limitations and HSQLDB involved cases are not supported by PingIdentity.

The name identifier optionally includes additional attributes. When using a pseudonym as the account link, take care to send only general attributes, such as a user's organizational role or department, that will not compromise privacy.

Linking permission and defederation

The SAML specification also allows the SP application to build in user verification and approval of account linking and provides a means for the user to permanently cancel the linking, known as defederation. For more information, see /sp/defederate.ping. A defederated user might later elect to re-associate with a local user account.

SP affiliations

Under the SAML 2.0 specifications, an iIdP configures PingFederate to enable a group of SPs, called an SP affiliation, to share the same persistent name identifier. For more information, see SP affiliations. An SP affiliation facilitates the use case where a number of business partners have an existing relationship and where sharing a single name identifier among all parties reduces the federation integration effort.