Auto Link Accounts is an action that creates a link between the incoming subject from the authenticator, and another subject found in the authenticated sessions (i.e., SSO sessions).
For a more detailed guide on how to work with account linking see Account Linking.
Auto link account silently creates a link between two subjects – the foreign account and the local account. The local account is the account found in the configured Account Manager. The foreign account is a subject (username) that should be bound to the local account.
It only creates the link if it can find the session of the configured Account Domain in the authenticated sessions. If not, it silently passes without linking.
Two things are needed for auto-linking accounts:
The following configuration is needed for linking to work.
If use-linked-account-as-main-account is set to true, then the linking-account-domain is treated as the local account and is expected to be found in the accounts that the linking-account-manager holds, and the current authenticator that the action is configured on is the foreign account. This is also referred to as reverse linking.
When using use-linked-account-as-main-account=true, the current authenticator’s account-domain will be used in the database as the linking domain.
Fig. 97 Auto Link Account Configuration Dialog
In some setups, where it is impossible to use the auto-create-account action to link two foreign accounts, an arbitrary attribute can be selected to act as a the account id stored in the link.
If use-linked-account-as-main-account is enabled, then this attribute is picked from the Authenticated Sessions, otherwise it is taken from the incoming attributes from the authenticator this action runs on.
The account-id-in-attribute-source setting defines the specific source location, which can be subject-attributes or context-attributes, when using Authenticated Sessions;
or subject-attributes, context-attributes, or action-attributes, when using the incoming attributes from the authenticator this action runs on.
A run time error will be returned on every request using this action if account-id-in-attribute-source is configured to be action-attributes and the configuration is using the Authenticated Sessions as the source for the account id information.
No check is made to verify that the account corresponding to the given ID exists.
Doing this might cause several problems as there is no guarantee that the value of this attribute is globally unique and immutable.
It is strongly suggested to use a auto-create-account action before this one, instead, to avoid any future issues (see Linking two foreign accounts using auto create account).
It is strongly recommended to NOT use an attribute that might change such as subject (username) or email.