Auto-Federation

The auto-federation feature in Access Manager will automatically federate a user's disparate provider accounts based on a common attribute. This common attribute will be exchanged in a single sign-on assertion so that the consuming service provider can identify the user and create account federations. If auto-federation is enabled and it is deemed that a user at provider A and a user at provider B have the same value for the defined common attribute (for example, emailaddress), the two accounts will be federated automatically without principal interaction.

Auto-federating a principal's two distinct accounts at two different providers requires each provider to have agreed to implement support for this functionality beforehand.

To Enable Auto Federation

Ensure that each local service and identity provider participating in auto federation is configured for it. Remote providers would not be configured in your deployment.

1. In the Access Manager Console, click the Federation tab.

2. Under Federation, select the Entities tab.

3. Select the name of a hosted provider entity to edit its profile.

   Whether an entity is configured to hold hosted or remote providers is not information that is disclosed on this screen.

4. Select Identity Provider or Service Provider from the View menu.

5. Select Access Manager Configuration.

6. Enable Auto Federation by checking the box.

7. Type a value for the Auto Federation Common Attribute Name attribute.

   For example, enter emailaddress or userID. You should be sure that each participating user profile (at both providers) has a value for this attribute.

8. Click Save to complete the configuration.