To Federate Disparate Accounts with Auto Federation

The auto-federation feature in OpenSSO Enterprise will automatically federate a user's disparate provider accounts based on a common attribute. This common attribute will be exchanged in a single sign-on assertion so that the consuming service provider can identify the user and create account federations. If auto-federation is enabled and it is deemed that a user at provider A and a user at provider B have the same value for the defined common attribute (for example, emailaddress), the two accounts will be federated automatically without principal interaction.

Auto-federating a principal's two distinct accounts at two different providers requires each provider to have agreed to implement support for this functionality beforehand.

Ensure that each local service and identity provider participating in auto federation is configured for it. Remote providers would not be configured in your deployment.

1. In the OpenSSO Enterprise Console, click the Federation tab.

2. Select the name of the hosted identity provider to edit its profile.

3. Click the Assertion Processing tab.

4. In the Attribute Map attribute, add the autofedAttribute=local-attribute value. For example, employeeNumber=employeeID.

5. Click Save.

6. Go back to the Federation tab and select the name of the hosted service provider to edit its profile.

7. If the Auto Federation Common Attribute Name is the same as local attribute name, skip to next step. If not, enter the autofedAttribute=local-attribute value in the New Value field under Attribute Map. For example:

   employeeNumber=employeeID

8. Click on the Auto Federation link at the top of the page, or scroll down to the Auto Federation subsection.

9. Enable Auto Federation by checking the box.

10. Click Save to complete the configuration.