Auto Link Accounts is an action that creates a link between the incoming subject from the authenticator, and another subject found in the authenticated sessions (i.e., SSO sessions).
For a more detailed guide on how to work with account linking see Account Linking.
Auto link account silently creates a link between two subjects – the foreign account and the local account. The local account is the account found in the configured Account Manager. The foreign account is a subject (username) that should be bound to the local account.
It only creates the link if it can find the session of the configured Account Domain in the authenticated sessions. If not, it silently passes without linking.
Two things are needed for auto-linking accounts:
The following configuration is needed for linking to work.
If use-linked-account-as-main-account is set to true, then the linking-account-domain is treated as the local account and is expected to be found in the accounts that the linking-account-manager holds, and the current authenticator that the action is configured on is the foreign account. This is also referred to as reverse linking.
When using use-linked-account-as-main-account=true, the current authenticator’s account-domain will be used in the database as the linking domain.
Fig. 92 Auto Link Account Configuration Dialog
In some setups, where it is impossible to use the auto-create-account action to link two foreign accounts, an arbitrary attribute can be selected to act as a the account id stored in the link.
If use-linked-account-as-main-account is enabled, then this attribute is picked from the Authenticated Sessions, otherwise it is taken from the incoming attributes from the authenticator this action runs on.
The account-id-in-attribute-source setting defines the specific source location, which can be subject-attributes or context-attributes, when using Authenticated Sessions;
or subject-attributes, context-attributes, or action-attributes, when using the incoming attributes from the authenticator this action runs on.
A run time error will be returned on every request using this action if account-id-in-attribute-source is configured to be action-attributes and the configuration is using the Authenticated Sessions as the source for the account id information.
No check is made to verify that the account corresponding to the given ID exists.
Doing this might cause several problems as there is no guarantee that the value of this attribute is globally unique and immutable.
It is strongly suggested to use a auto-create-account action before this one, instead, to avoid any future issues (see Linking two foreign accounts using auto create account).
It is strongly recommended to NOT use an attribute that might change such as subject (username) or email.
By default this action will create the link without any user interaction.
However, it is possible to ask the user for confirmation before creating the link.
This is done via a confirmation screen where the user can allow or deny the link creation.
To enable the user confirmation screen, the user-confirmation setting needs to be added to the configuration.
This setting has inner settings that allow the control of the information displayed to the user, namely:
The settings under user-confirmation only change the information that is presented to the user and not the information that is stored in the link.
The action-attributes attribute location will be empty when the information is coming from the authenticated session. This means that this location should only be used for the local account identifier if use-linked-account-as-main-account is false or for the foreign account identifier if use-linked-account-as-main-account is true.