6.6.0

• Home

Table of Contents

• System Admin Guide
• Authentication Service Admin Guide
  • Overview
  • Defining an Authentication Service Profile
  • Authenticators
  • Authentication Actions
    • Overview
    • Attribute Prompt Action
    • Auto Create Account
    • Auto Link Accounts
      • Overview
      • Configuration
      • Advanced
    • Conditional Multi-Factor
    • Data Source Transformer Action
    • Date/Time Deny Action
    • Debug Attribute Action
    • Geolocation Allow or Deny Country Action
    • Geolocation Changed Country Action
    • Geolocation Impossible Journey Action
    • Geolocation New Country Action
    • Lookup Links Action
    • Opt-In MFA
    • Regular Expression Transformer Action
    • Remove Attribute Transformer Action
    • Reset Password
    • Resolve Account Link
    • Script Transformer Action
    • Sequence Action
    • Switch Action
    • Time-based Deny Action
    • Zone Transfer
  • Multi-Factor Authentication
  • Account Linking
  • Protocol Plugins
  • Account Manager
  • Service Providers
  • Authenticator Filters
  • Single Sign-On
  • Automatic Login
  • Logout
  • Geolocation
• Token Service Admin Guide
• User Management Admin Guide
• Developer Guide
• Configuration Guide
• Glossary

Auto Link Accounts

Auto Link Accounts is an action that creates a link between the incoming subject from the authenticator, and another subject found in the authenticated sessions (i.e., SSO sessions).

Note

For a more detailed guide on how to work with account linking see Account Linking.

Overview

Auto link account silently creates a link between two subjects – the foreign account and the local account. The local account is the account found in the configured Account Manager. The foreign account is a subject (username) that should be bound to the local account.

It only creates the link if it can find the session of the configured Account Domain in the authenticated sessions. If not, it silently passes without linking.

Configuration

Two things are needed for auto-linking accounts:

1. An account domain configured on the foreign authenticator that should be linked when seen
2. The auto link accounts action on the other authenticator that should perform the link

The following configuration is needed for linking to work.

Configuration	Mandatory	Description
linking-account-manager	yes	Where the account should be linked, also where the local account is present
linking-account-domain	yes	What account-domain to look for when linking
use-linked-account-as-main-account	no	(Default false) If true, then the account manager contains the foreign account, so linking is reversed
overwrite-existing-link	no	(Default false) if a link exist, overwrite it.
advanced/account-id-in-attribute	no	Use an arbitrary attribute as the account id. This can have very negative implications on your setup, so use with caution.

If use-linked-account-as-main-account is set to true, then the linking-account-domain is treated as the local account and is expected to be found in the accounts that the linking-account-manager holds, and the current authenticator that the action is configured on is the foreign account. This is also referred to as reverse linking.

Important

When using use-linked-account-as-main-account=true, the current authenticator’s account-domain will be used in the database as the linking domain.

Fig. 93 Auto Link Account Configuration Dialog

Advanced

Account Id in Attribute

In some setups, where it is impossible to use the auto-create-account action to link two foreign accounts, an arbitrary attribute can be selected to act as a the account id stored in the link. If use-linked-account-as-main-account is enabled, then this attribute is picked from the Authenticated Sessions, otherwise it is taken from the incoming attributes from the authenticator this action runs on. No check is made to verify that the account corresponding to the given ID exists. Doing this might cause several problems as there is no guarantee that the value of this attribute is globally unique and immutable. It is strongly suggested to use a auto-create-account action before this one, instead, to avoid any future issues (see Linking two foreign accounts using auto create account).

Warning

It is strongly recommended to NOT use an attribute that might change such as subject (username) or email.