Menu
▾
▴
Re: [Unity-idm-discuss] Merging new accounts if email already exists
|
From: Krzysztof B. <kb...@un...> - 2023-08-24 09:17:59
|
Hi Sander, W dniu 23.08.2023 o 14:15, Sander Apweiler pisze: > Hi Krzysztof, hi Roman, > in our new setup we have the requirement, that users have only one > account, even if they login via different upstream IdPs. Since there is > also LDAP one of the identity provider I do not have a persistent > identifier from the home organisation but can only use the email > address for this. Of course email address is a bad choise because it is > reused after a retention period if the user leaves the home > organisation. > > To have the email unique across the user we would need to store it as > an identity of the account. Please correct me if I am wrong in this > point. You are correct. > If a user logs in and there is already an account with the used email > address we want to start the account linking procedure instead of > automatically linking the accounts or giving just access because of the > same email address. With this step we want to avoid providing access to > an old account where the user does not exist anymore and is not yet > removed. > > By reading the manual and testing I were just able to automatically > bind the user to one entity. The second identity from the upstream IdP > was not taken into account. So I have at the moment two questions. > > 1. Is there a way to configure unity to log the user in, if both > identities does exist at the entity? E.g. username+email for ldap or > id+email for others. Yes, it is: in the input profile you need to setup REQUIRE_MATCH for both identity types required for a given IdP. Then the login will be successful only if both will match. > 2. Is there a way to trigger the account linking if the login provides > only one of the stored identity but not a second one? Unfortunately not. When using REQUIRE_MATCH the failure is critical, i.e. it does not allow to associate the remote identity with some local one. We would need a new feature for that. > I hope you can understand the scenario. I think more or less yes. HTH, Krzysztof |
