Introduction

The CoreOne Authentication User can have multiple references to the external users from external identity providers, also known as federation or brokering. He has the option to merge those accounts manually and automatically to a local account. Both processes are described here.

Auto Merging / Auto Registration

Whenever a user authenticates with an external identity provider and the authentication results in a user that is nor yet linked to any CoreOne Authentication User, the system either tries to auto merge it or, if no user can be determinated, renders the registration form.

In versions lower than 8.0 only one merging type is supported. The auto merging is performed by comparing the claim http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress from the external token to the user claims in the system. If there is a matching claim, the two accounts will be automatically linked.

Starting from version 8.0 and higher, each claim in the claim mapping configuration can be marked as a matching claim. I.e. if you mark the mobile claim as a matching claim, the auto merging process will try to match the user based on the that claim. Note that this will only work if there is no more than one user with the same claim value.

Manual Merging

In the CoreOne Self-Service Portal the user has the option to merge his CoreOne Authentication Service User to any configured external identity provider. By selecting the provider and authenticating against it, the external identity provider and it’s user will be merged to the current user.

Supported Protocols

Federation / Brokering is possible with both OIDC and SAML.