To Achieve Single Sign-on Without Data Store Writes (Sun OpenSSO Enterprise 8.0 Administration Guide)

Sun OpenSSO Enterprise 8.0 Administration Guide

To Achieve Single Sign-on Without Data Store Writes

This interaction uses auto-federation with the transient name identifier. There is one-to-one mapping between user accounts configured with the identity provider and the service provider based on the value of one attribute. The following procedure describes how to configure single sign-on without writing to the user's data store entry.

Edit the following attributes in the OpenSSO Enterprise console for the identity provider.
- Auto Federation – enable this attribute.
- Auto Federation Attribute defines the common attribute on the identity provider side. For example, mail.
- Attribute Map defines the mapping between the identity provider's attribute and the remote provider's attribute. It takes a value of autofedAttribute-value=remote-provider-attribute. For example:
```
<Attribute name="attributeMap">
<Value>mail=mail</Value>
</Attribute>
```

Edit the following attributes in the OpenSSO Enterprise console for the service provider.
- Transient User takes a null value.
- Auto Federation enable this attribute.
- Auto Federation Attribute defines the common attribute. For example, mail.
- Attribute Map defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:
```
mail=mail
```

Invoke the single sign-on URL with the NameIDFormat=transient query parameter appended to it to test.

All identity provider users will be mapped to the corresponding user on the service provider side based on the mail attribute but the auto-federation attributes will not be written to the user entry.