Curity logo Documentation
  • Visit curity.io
  • Developers
    Curity Developer Portal
    Developer Portal Build or integrate with the Curity Identity Server.
    Start Downloads Support Resource Library Libraries and SDKs
  • Contact

  • Home

Table of Contents

  • System Admin Guide
  • Authentication Service Admin Guide
    • Overview
    • Defining an Authentication Service Profile
    • Authenticators
    • Authentication Actions
      • Overview
      • Attribute Prompt Action
      • Auto Create Account
      • Auto Link Accounts
        • Overview
        • Configuration
        • Advanced
      • Conditional Multi-Factor
      • Data Source Transformer Action
      • Date/Time Deny Action
      • Debug Attribute Action
      • Geolocation Allow or Deny Country Action
      • Geolocation Changed Country Action
      • Geolocation Impossible Journey Action
      • Geolocation New Country Action
      • Lookup Links Action
      • Regular Expression Transformer Action
      • Remove Attribute Transformer Action
      • Reset Password
      • Resolve Account Link
      • Script Transformer Action
      • Sequence Action
      • Switch Action
      • Time-based Deny Action
      • Zone Transfer
    • Multi-Factor Authentication
    • Account Linking
    • Protocol Plugins
    • Account Manager
    • Service Providers
    • Authenticator Filters
    • Single Sign-On
    • Automatic Login
    • Logout
    • Geolocation
  • Token Service Admin Guide
  • User Management Admin Guide
  • Developer Guide
  • Configuration Guide
  • Glossary
  • Docs /
  • Authentication Service Admin Guide /
  • Authentication Actions /
  • Auto Link Accounts

Auto Link Accounts¶

Auto Link Accounts is an action that creates a link between the incoming subject from the authenticator, and another subject found in the authenticated sessions (i.e., SSO sessions).

Note

For a more detailed guide on how to work with account linking see Account Linking.

Overview¶

Auto link account silently creates a link between two subjects – the foreign account and the local account. The local account is the account found in the configured Account Manager. The foreign account is a subject (username) that should be bound to the local account.

It only creates the link if it can find the session of the configured Account Domain in the authenticated sessions. If not, it silently passes without linking.

Configuration¶

Two things are needed for auto-linking accounts:

  1. An account domain configured on the foreign authenticator that should be linked when seen
  2. The auto link accounts action on the other authenticator that should perform the link

The following configuration is needed for linking to work.

Configuration Mandatory Description
linking-account-manager yes Where the account should be linked, also where the local account is present
linking-account-domain yes What account-domain to look for when linking
use-linked-account-as-main-account no (Default false) If true, then the account manager contains the foreign account, so linking is reversed
overwrite-existing-link no (Default false) if a link exist, overwrite it.
advanced/account-id-in-attribute no Use an arbitrary attribute as the account id. This can have very negative implications on your setup, so use with caution.

If use-linked-account-as-main-account is set to true, then the linking-account-domain is treated as the local account and is expected to be found in the accounts that the linking-account-manager holds, and the current authenticator that the action is configured on is the foreign account. This is also referred to as reverse linking.

Important

When using use-linked-account-as-main-account=true, the current authenticator’s account-domain will be used in the database as the linking domain.

../../_images/auto-link-account-config.png

Fig. 92 Auto Link Account Configuration Dialog

Advanced¶

Account Id in Attribute¶

In some setups, where it is impossible to use the auto-create-account action to link two foreign accounts, an arbitrary attribute can be selected to act as a the account id stored in the link. If use-linked-account-as-main-account is enabled, then this attribute is picked from the Authenticated Sessions, otherwise it is taken from the incoming attributes from the authenticator this action runs on. No check is made to verify that the account corresponding to the given ID exists. Doing this might cause several problems as there is no guarantee that the value of this attribute is globally unique and immutable. It is strongly suggested to use a auto-create-account action before this one, instead, to avoid any future issues (see Linking two foreign accounts using auto create account).

Warning

It is strongly recommended to NOT use an attribute that might change such as subject (username) or email.

Table of Contents
Copyright © 2015-2021 Curity AB. All rights reserved.