Account linking settings#

Each Identity Provider’s settings include a section called ”Account linking”. You can use the settings in this section to define:

  • rules for linking an external account to an account in Blitz Identity Provider;

  • rules for matching attributes of an external account and an account in Blitz Identity Provider.

Two setting modes are provided:

  • Basic configuration - the configuration is performed using the Rule Builder. This mode is suitable for typical account linking and attribute mapping scenarios.

  • Advanced customization - account linking rules and attribute matching rules are defined using a Java programming language linking procedure. This mode provides maximum configuration flexibility and is suitable for highly specialized account linking and attribute matching scenarios.

Linking an external account to an account in Blitz Identity Provider occurs in the following scenarios:

  • The first time you log in using an external account, if it is not already linked to any account in Blitz Identity Provider.

  • When binding in User profile.

The following settings are provided in the Basic Setup mode:

  • Option “Allow one Identity Provider account to be bound to many accounts”:

    • option selected - Blitz Identity Provider will allow an external account to be linked to multiple accounts in Blitz Identity Provider. When a user logs in with such an external account, they will be shown a selection of multiple linked accounts during the login process.

    • option not selected - Blitz Identity Provider will not allow an external account to be linked to Blitz Identity Provider account if that external account is already linked to another Blitz Identity Provider account.

  • Option “Prompt the user to enter login and password for binding if the account has not been identified”:

    • option selected - the user will be prompted to identify and authenticate using an alternative method to bind an external account if the configured rules fail to find an account in Blitz Identity Provider.

    • option not selected - Blitz Identity Provider will not allow logins for users for whom no accounts could be mapped. If a logon process for external accounts is configured, the logon process will automatically start.

../_images/link01_en.png

  • Option “Only one account must be found for linking according to the specified matching rules”:

    • option selected - if more than one account is found according to the matching rules, an error message will be displayed to the user.

    • option not selected - if more than one account is found according to the matching rules, there will be an option to continue the linking process.

  • Option “Require password entry if the account has been identified”:

    • option selected - the user will need to authenticate to link their account to an external vendor account.

    • option not selected - the account will be automatically linked to an external vendor account.

  • Customizing Account Identity Rules - You can create rules to match identity attributes from an external account to identity attributes in Blitz Identity Provider. To create identity rules, you must use ${attr_name} substitution strings, where attr_name is the name of the attribute received from the external identity provider. You can specify multiple attributes in a single rule. For example, the rule email=${default_email-} means that the email attribute in Blitz Identity Provider will map to the default_email attribute of the external account, provided that the default_email attribute is not empty. Multiple conditions can be specified (using the “+ add condition “ link to be met simultaneously and alternate rules can be added using the “+ add an alternative rule” link).

  • Block “Attributes” with rules for saving attributes. For example, the email=${default_email} rule means that an attribute named email in Blitz Identity Provider will be populated with the value from the default_email attribute of the external account (for users who have used that identity provider). If the attribute has a “Master” checkbox checked, the attribute will be populated or updated each time the user logs in through the external Identity Provider. If the “Master” checkbox is unchecked, it will be populated only on the first logon that results in a credential bind.

  • The “User’s Choice” block defines the rules for displaying Blitz Identity Provider account found by the configured matching rules to the user. The “User Name” setting defines the information displayed on the top line of the user card (the line intended to display the account name). For example, ${family_name- } ${given_name-} specifies that the user’s last name and first name (if filled in) will be shown on the top line. The “User ID” setting determines the information displayed on the bottom line of the user card (the line intended to display the account ID). You can use value masking when customizing. For example, the ${phone_number&maskInMiddle(3,3)} rule will display the middle numbers of a phone number as *.

../_images/link02_en.png