Account linking provides a means for a user to log on to disparate sites with just one authentication when the user has established accounts and credentials at each site.
All protocols support this method of interconnecting accounts across domains.
Account linking involves a persistent name identifier associated with accounts at each participating site. The assertion conveys the name identifier, which can be an opaque pseudonym. Once established locally, the service provider (SP) can use the account link to look up the user and provide access without re-authentication.
- David Smith logs on to Site A as davidsmith. He then decides to access his account on Site B through Site A.
- Optionally, the federation server looks up additional attributes from the datastore.
- The Site A federation server sends a persistent name identifier to Site B, along
with any other attributes. Note:
When using a pseudonym and sending other attributes, be careful not to send attributes that could identify the subject.
- The federation server on Site B uses the information to associate the pseudonym
with the existing account of dsmith and optionally might ask David
to provide consent to the linking.
Once the link has been established, Site B stores the information so that David only has to log on to Site A to access Site B.