Auto-Federation

The auto-federation feature will automatically federate a user's disparate provider accounts based on a common attribute defined in the interacting provider's metadata. (It is also referred to as attribute federation.) This common attribute, when exchanged in a single sign-on assertion, would identify the user at both provider sites and automatically create the appropriate federations. The following sections describe procedures for auto-federation.

• To Enable Auto-Federation

• To Configure Single Sign-on Without Data Store Writes

Auto-federation with the transient name identifier can also be configured as described in To Configure Single Sign-on without Service Provider User Account.

To Enable Auto-Federation

Before You Begin

You must configure the attribute mapper on the identity provider side to include the common attribute as part of the AttributeStatement. You must also configure the attribute mapper on the service provider side to use the common attribute to find the user.

You can also configure the account mapper on the service provider side to map all users to a single user (such as anonymous).

1. Export the identity provider's current extended metadata configuration to a file.

   saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name

2. Edit the following attributes in the exported extended metadata configuration file.

   • autofedEnabled takes a value of true.

   • autofedAttribute defines the common attribute. For example, <Value>employeeNumber</Value>

   • attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:

     <Attribute name="attributeMap">
     <Value>employeeNumber=employeeNumber</Value>
     </Attribute>

3. Remove the identity provider's current extended metadata configuration.

   saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c

4. Import the identity provider's modified extended metadata configuration file.

   saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name

5. Restart the web container.

6. Repeat the above steps to modify the service provider's extended metadata.

7. To test, invoke single sign-on from the service provider.

   Following the auto-federation, two SAML v2 attributes and corresponding values are written to the user's data store entry.

To Configure Single Sign-on Without Data Store Writes

This interaction uses auto-federation with the transient name identifier. There is one-to-one mapping between user accounts configured with the identity provider and the service provider based on the value of one attribute. The following procedure describes how to configure single sign-on without writing to the user's data store entry.

1. Export the identity provider's current extended metadata configuration to a file.

   saml2meta [-i staging-directory] export -u amadmin -w password -e IDP-entityID -x IDP-extended-XML-file-name

2. Edit the following attributes in the exported extended metadata configuration file.

   • autofedEnabled takes a value of true.

   • autofedAttribute defines the common attribute on the identity provider side. For example, mail.

   • attributeMap defines the mapping between the identity provider's attribute and the remote provider's attribute. It takes a value of autofedAttribute-value=remote-provider-attribute. For example:

     <Attribute name="attributeMap">
     <Value>mail=mail</Value>
     </Attribute>

3. Remove the identity provider's current extended metadata configuration.

   saml2meta [-i staging-directory] delete -u amadmin -w password -e IDP-entityID -c

4. Import the identity provider's modified extended metadata configuration file.

   saml2meta [-i staging-directory] import -u amadmin -w password -x IDP-extended-XML-file-name

5. Restart the web container.

6. Export the service provider's current extended metadata configuration to a file.

   saml2meta [-i staging-directory] export -u amadmin -w password -e SP-entityID -x SP-extended-XML-file-name

7. Edit the following attributes in the exported extended metadata configuration file.

   • transientUser takes a null value.

   • autofedEnabled takes a value of true.

   • autofedAttribute defines the common attribute. For example, mail.

   • attributeMap defines the mapping between the provider that this metadata is configuring and the remote provider. This attribute takes a value of autofedAttribute-value=remote-provider-attribute. For example:

     <Attribute name="attributeMap">
     <Value>mail=mail</Value>
     </Attribute>

8. Remove the service provider's current extended metadata configuration.

   saml2meta [-i staging-directory] delete -u amadmin -w password -e SP-entityID -c

9. Import the service provider's modified extended metadata configuration file.

   saml2meta [-i staging-directory] import -u amadmin -w password -x SP-extended-XML-file-name

10. Restart the web container.

11. To test, invoke the single sign-on URL with the NameIDFormat=transient query parameter appended to it.

    All identity provider users will be mapped to the corresponding user on the service provider side based on the mail attribute but the auto-federation attributes will not be written to the user entry.