Auto Link Accounts is an action that creates a link between the incoming subject from the authenticator, and another subject found in the authenticated sessions (i.e., SSO sessions).
Note
For a more detailed guide on how to work with account linking see Account Linking.
Auto link account silently creates a link between two subjects – the foreign account and the local account. The local account is the account found in the configured Account Manager. The foreign account is a subject (username) that should be bound to the local account.
foreign
local
It only creates the link if it can find the session of the configured Account Domain in the authenticated sessions. If not, it silently passes without linking.
Two things are needed for auto-linking accounts:
The following configuration is needed for linking to work.
account-domain
If use-linked-account-as-main-account is set to true, then the linking-account-domain is treated as the local account and is expected to be found in the accounts that the linking-account-manager holds, and the current authenticator that the action is configured on is the foreign account. This is also referred to as reverse linking.
use-linked-account-as-main-account
linking-account-domain
linking-account-manager
Important
When using use-linked-account-as-main-account=true, the current authenticator’s account-domain will be used in the database as the linking domain.
use-linked-account-as-main-account=true
Fig. 97 Auto Link Account Configuration Dialog
In some setups, where it is impossible to use the auto-create-account action to link two foreign accounts, an arbitrary attribute can be selected to act as a the account id stored in the link. If use-linked-account-as-main-account is enabled, then this attribute is picked from the Authenticated Sessions, otherwise it is taken from the incoming attributes from the authenticator this action runs on. No check is made to verify that the account corresponding to the given ID exists. Doing this might cause several problems as there is no guarantee that the value of this attribute is globally unique and immutable. It is strongly suggested to use a auto-create-account action before this one, instead, to avoid any future issues (see Linking two foreign accounts using auto create account).
Warning
It is strongly recommended to NOT use an attribute that might change such as subject (username) or email.