You can choose a name identifier for your SAML Browser single sign-on (SSO) configuration on the identity Mapping tab. The type of name identifier you select affects how your service provider (SP) partner makes use of account mapping or account linking.
If you change your configuration to use account linking without additional attributes, any existing attribute contract will be discarded in favor of the new configuration.
Select the type of name identifier that you and your SP have agreed to use.
Option Description Standard Select if you want to send a known attribute to identify a user, for example, a username or an email address.
In this scenario, the SP often uses account mapping to identify the user locally.
Pseudonym Select if you and the SP have agreed to use a unique, opaque persistent name identifier, which cannot be traced back to the user's identity at the IdP.
The SP might also use the identifier for account linking to make a persistent association between the user and a specific local account.
Select the Include attributes in addition to the pseudonym box if you want to set up an attribute contract to use in conjunction with an opaque identifier. For more information, see Setting up an attribute contract.
Transient Select Transient to enhance the privacy of a user's identity. Unlike a pseudonym, a transient identifier is different each time a user initiates SSO.
An example application for this selection might be when an SP provides generalized group accounts based on organizational rather than individual identity.
Select the Include attributes in addition to the transient identifier box if you want to set up an attribute contract to use in conjunction with an opaque identifier. For more information, see Setting up an attribute contract.
- Click Next to save your changes.