OpenAM: Permanent Links Between Federated Accounts

OpenAM Community LogoIn reading about SAML 2.0, I see SAML 2.0 federation does not require any sort of permanent or even persistent connection between accounts at the identity provider and the service provider. If however you do want to make permanent connections for a list of identity provider and service provider accounts, then the ssoadm bulk federation commands can help.

Before You Start

Before you can run the bulk federation commands, first establish the relationship between accounts, and also set up the providers including installation of the ssoadm command.

Consider a case where the identity provider is at and the service provider is at A demo user account has the Universal ID, id=demo,ou=user,dc=example,dc=org, on the identity provider. That maps to the Universal ID, id=demo,ou=user,dc=example,dc=com, on the service provider.

The ssoadm command then needs a file that maps local user IDs to remote user IDs, one per line, separated by the vertical bar character |. Each line of the file looks like this:


In this example, starting on the service provider side, the line for the demo user reads:


All the users’ accounts mapped in your file must exist at the identity provider and the service provider when you run the commands to link them.

See the OpenAM Installation Guide for details on installing OpenAM and the ssoadm command. The OpenAM Administration Guide describes how to create hosted providers and register remote providers.

Linking Federated Accounts in Bulk

After everything is set up, you can link the accounts using the ssoadm bulk federation commands.

  1. Prepare the data with the ssoadm do-bulk-federation command.
    This example starts on the service provider side.

    $ cat /tmp/user-map.txt
    $ ssoadm do-bulk-federation --metaalias /sp \
     --remoteentityid \
     --useridmapping /tmp/user-map.txt \
     --nameidmapping /tmp/name-map.txt \
     --adminid amadmin --password-file /tmp/pwd.txt \
     --spec saml2
    Bulk Federation for this host was completed. To complete the
    federation, name Id mapping file should be loaded to remote
  2. Copy the name ID mapping output file to the other provider.
    $ scp /tmp/name-map.txt's password: 
    name-map.txt                     100%  177     0.2KB/s   00:00
  3. Import the name ID mapping file with the ssoadm import-bulk-fed-data command.
    In this example, this step takes place on the identity provider side.

    $ ssoadm import-bulk-fed-data \
     --adminid amadmin --password-file /tmp/pwd.txt \
     --metaalias /idp --bulk-data-file /tmp/name-map.txt 
    Bulk Federation for this host was completed.

The accounts are now linked.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s