test

Sun OpenSSO Enterprise 8.0 Administration Guide

ID-FF Auto-Federation

The auto-federation feature in OpenSSO Enterprise will automatically federate a user's disparate provider accounts based on a common attribute. This common attribute will be exchanged in a single sign-on assertion so that the consuming service provider can identify the user and create account federations. If auto-federation is enabled and it is deemed that a user at provider A and a user at provider B have the same value for the defined common attribute (for example, emailaddress), the two accounts will be federated automatically without principal interaction on the service provider side (that is, without login on the service provider side).

Note –

Auto-federating a principal's two distinct accounts at two different providers requires each provider to have agreed to implement support for this functionality beforehand.

ProcedureTo Enable ID-FF Auto Federation

Ensure that single sign-on is properly configured. For more information, see To Configure ID-FF Single Sign-on. Remote providers would not be configured in your deployment.

  1. In the OpenSSO Enterprise Console, click the Federation tab.

  2. Select the name of the identity provider to edit its profile.

  3. Click on the Auto Federation link at the top of the page, or scroll down to the Auto Federation subsection.

  4. Enable Auto Federation by checking the box.

  5. Type a value for the Auto Federation Common Attribute Name attribute.

    For example, enter emailaddress or userID. You should be sure that each participating user profile (at both providers) has a value for this attribute.

  6. Click the Identity Provider Attribute Mapper link, or scroll down to the Identity Provider Attribute Mapper subsection. Enter the following attribute values:

    Attribute Mapper Class

    com.sun.identity.federation.services.FSDefaultRealmAttributeMapper

    Identity Provider Attribute Mapping

    Enter the mapping for the Auto-Federation attribute name.

  7. Click the Plug-ins link, or scroll down to the Plug-ins subsection. Enter the following attribute value:

    Attribute Statement Plug-in

    com.sun.identity.federation.services.FSDefaultRealmAttributePlugin

  8. Click Save to complete the identity provider configuration.

  9. Go back to the Federation tab and select the service provider you wish to edit.

  10. Click on the Auto Federation link at the top of the page, or scroll down to the Auto Federation subsection.

  11. Enable Auto Federation by checking the box.

  12. Type a value for the Auto Federation Common Attribute Name attribute.

    For example, enter emailaddress or userID. You should be sure that each participating user profile (at both providers) has a value for this attribute.

  13. Click the Service Provider Attribute Mapper link, or scroll down to the Service Provider Attribute Mapper subsection. Enter the following attribute values:

    Attribute Mapper Class

    com.sun.identity.federation.services.FSDefaultRealmAttributeMapper

    Identity Provider Attribute Mapping

    Enter the mapping for the Auto-Federation attribute name.

  14. Click Save to complete the configuration.