Account linking settings#
Each identity provider’s settings include a section called Account linking. You can use the settings in this section to define:
rules for linking an external account to an account in Blitz Identity Provider;
rules for matching attributes of an external account and an account in Blitz Identity Provider.
Two setting modes are provided: basic and advanced.
Linking an external account to an account in Blitz Identity Provider occurs in the following scenarios:
The first time you log in using an external account, if it is not already linked to any account in Blitz Identity Provider.
When binding in the User profile.
Basic configuration#
The basic configuration is performed using the Rule Builder. This mode is suitable for typical account linking and attribute mapping scenarios.
The following settings are provided:
Allow one identity provider account to be bound to many accounts
:option selected
– Blitz Identity Provider will allow an external account to be linked to multiple accounts in Blitz Identity Provider. When a user logs in with such an external account, they will be shown a selection of multiple linked accounts during the login process.option not selected
– Blitz Identity Provider will not allow an external account to be linked to Blitz Identity Provider account if that external account is already linked to another Blitz Identity Provider account.
Prompt the user to enter login and password for binding if the account has not been identified
:option selected
– the user will be prompted to identify and authenticate using an alternative method to bind an external account if the configured rules fail to find an account in Blitz Identity Provider.option not selected
- Blitz Identity Provider will not allow logins for users for whom no accounts could be mapped. If a logon process for external accounts is configured, the logon process will automatically start.
Enable user registration
:option selected
– the password entry form features a link that can be used to register in an external provider.option not selected
– proceeding to external provider registration in the password entry form is not possible.
Only one account must be found for linking according to the specified matching rules
:option selected
- if more than one account is found according to the matching rules, an error message will be displayed to the user.option not selected
- if more than one account is found according to the matching rules, there will be an option to continue the linking process.
Require password entry if the account has been identified
:option selected
- the user will need to authenticate to link their account to an external vendor account.option not selected
- the account will be automatically linked to an external vendor account.
Customizing account identity rules - You can create rules to match identity attributes from an external account to identity attributes in Blitz Identity Provider. To create identity rules, you must use
${attr_name}
substitution strings, whereattr_name
is the name of the attribute received from the external identity provider. You can specify multiple attributes in a single rule. For example, the ruleemail=${default_email-}
means that theemail
attribute in Blitz Identity Provider will map to thedefault_email
attribute of the external account, provided that thedefault_email
attribute is not empty. Multiple conditions can be specified (using the + add condition link to be met simultaneously and alternate rules can be added using the + add an alternative rule link).
Block Attributes with rules for saving attributes. For example, the
email=${default_email}
rule means that an attribute namedemail
in Blitz Identity Provider will be populated with the value from thedefault_email
attribute of the external account (for users who have used that identity provider). If the attribute has aMaster
checkbox checked, the attribute will be populated or updated each time the user logs in through the external Identity Provider. If theMaster
checkbox is unchecked, it will be populated only on the first logon that results in a credential bind.
The User selection block defines the rules for displaying Blitz Identity Provider account found by the configured matching rules to the user. The
Username
setting defines the information displayed on the top line of the user card (the line intended to display the account name). For example,${family_name- } ${given_name-}
specifies that the user’s last name and first name (if filled in) will be shown on the top line. TheUser identifier
setting determines the information displayed on the bottom line of the user card (the line intended to display the account ID). You can use value masking when customizing. For example, the${phone_number&maskInMiddle(3,3)}
rule will display the middle numbers of a phone number as*
.
The Linked account block defines the rule of how a user’s linked account is displayed in the user’s external provider info in the admin console and user profile. The expression is formed based on the data received when a user logs in through an external provider.
Advanced configuration#
In the case of the advanced configuration, the rules for account binding and attribute mapping are defined using a binding procedure in Java. This mode provides maximum configuration flexibility and is suitable for highly specialized account binding and attribute mapping scenarios.