PingFederate offers an account linking service and a pseudonym service to support SAML 2.0 federation deployment needs.
Account linking service
The account linking service stores the association between the external and internal identifiers of an end user when your implementation uses account linking as a service provider (SP) identity-mapping strategy. The default, standalone implementation uses a Java Database Connectivity (JDBC) interface to an embedded database within PingFederate. No information from the embedded database is shared across the cluster. When an identity provider (IdP) connection deployed in a cluster uses account linking, the default implementation will not work properly. In such cases, you must adjust the pointer for cluster use by pointing the service to an external database. For more information, see Define an account-linking data store.
The pseudonym service references the method needed by PingFederate to generate or look
up a pseudonym for a user. PingFederate uses this service only if your site is acting in
an IdP role and produces assertions containing pseudonyms as subject identifiers. The
default implementation uses a message digest to produce the value so that no
session-state synchronization is required. Developers who want to implement pseudonym
handling differently can refer to the Javadoc reference describing
PseudonymService interface for more information.