Menu
▾
▴
Re: [Unity-idm-discuss] some questions about the account mapping
|
From: Krzysztof B. <kb...@un...> - 2024-08-21 09:27:27
|
Hi Sander, W dniu 19.08.2024 o 10:22, Sander Apweiler pisze: > Good morning Krzystof, > good morning Roman, > > > We are setting up a new unity instance as proxy for services offered by > our institute. This should give users always the same look and feel in > the login. The main account source is a local OP, but it is also > connected to a few selected external OPs. > > Another condition is that users shall have only one account. For this > reason we are using the email address as a second identifier, beside > the sub of OIDC. As far as I understood we must use the "REQUIRE_MATCH" > policy if both identifiers must match. Can you confirm this? When we > are using the "REQUIRE_MATCH" user must create an account, e.g. via No > account? Sign up! link in the UI before they login to unity in the > normal login flow. Can you confirm this, too? When we use the > "CREATE_OR_MATCH" policy unity recognises that users are not registered > in the system, if the users login for the first time, but unity would > start merging users only by the email from different OPs. Since email > addresses are reused in time, we do not want to have a implicit merge > by email address only. I'm not 100% sure if I understood all the details here, but roughly all of the above sounds correct to me. > In 9 years of operating those kind of proxies, we made the experience, > the users do not follow the No Account? Sign Up link, if they see the > big WAYF and can select their home organisation. Also service providers > do not want to have this additional step of clicking on the > registration button before users can start using the service. > Do you see any possibilities to have the identity mapping like > REQUIRE_MATCH but display the registration/associate buttons, if the > user is not known in the system? Yes, use the MATCH policy. If there will be no match, Unity can show an option to register after failed login (you have to setup a registration form for unknown users: you may also enable an option to associate remotely authenticated user with an existing account (there is a checkbox on authenticator). The registration form that you will link can be prefilled with data coming from remote IdP, as well as you have access to it in form's automation rules. HTH, Krzysztof |
