...
- Who does account linking? External IdP
- Who merges account attributes? Internal IdP and External IdP
- Note, a different model would have the SP responsible for the attribute merging, which is a hybrid of approach 2 and 3. Who authenticates and handles attribute release? External IdP
- Who decides whether a given external ID source is trusted? SP
...
- Business affiliates
- Outbound affiliates
- Alternate factor (possibly)
Discussion
PlaceholderIf the SP were made responsible for the attribute merging (i.e., performing attribute queries or other lookups to get the "internal" user attributes), this example becames a hybrid of approach 2 and 3.
...
Approach 4:Account Linking at the IdP
...
In this model, the IdP itself manages the linking of External IDs to internal users. This model hides from the SP the fact that an External ID (or external credential) was used for authentication, allowing users to use internal and external credentials interchangeably. It also allows for "Bring Your Own Credential" support with no need for the SPs to perform customized support of account linking.
Responsibility
...
Matrix
- Who does account linking? Internal IdP
- Who merges account attributes? Internal IdP
- Who authenticates and handles attribute release? External IdP
- Who decides whether a given external ID source is trusted? Internal IdP
...
- Non-Business affiliates
- Ad-hoc personal affiliates (presuming an internal identity is created)
- Business affiliates
- Inbound affiliates (presuming an internal identity is created)
- Outbound affiliates
Discussion
PlaceholderDiscussion above presumes that the mapping done in the Internal IdP is a "global" mapping. It's also possible that the Internal IdP could allow per-SP mapping rules, in which case this case looks functionally much more like approach #2 (Account Linking at the SP), though the responsibility matrix is as shown in this example.