Votes

4

Automatic linking of authenticators to like users

by: Tim S. | over a year ago | Configuration
Cast your vote or comment ...
return to idea list

This can be done in the Helpdesk portal but it would be nice to have the automatic linking of authenticators to like users. The criteria by which to define 'like users' would be configurable within AAF.

For example, accounts in different repositories where the values of the User look up/mail/name attributes match can be considered the accounts of a single identity and thus authenticators be linked to all accounts. Furthermore, the matching shouldnt be limited to any particular attribute. Also we should be able to compare the values of different attributes in different repositories.

by: Tim S. | over a year ago | Configuration

Comments

  • If I read this correctly you are asking for account matching across repositories for the purpose of single enrollment and license for users that have multiple IDs.

    Is this correct?

    by: Troy D. | over a year ago

  • Correct. Ultimately we want to link the same set of authenticators to an identity's user account. These accounts can live in different repositories or the same ones.

    by: Tim S. | over a year ago

  • Okay - I understand the idea.

    Your 'title' uses the word "Automatic"

    I am not sure how we could make this "Automatic". This could take a considerable amount of administrative configuration. As you mentioned there would need to be some cross-directory data matching and it may not be possible to use the same element across 3 or more directories. For instance, if I have accounts in 3 attached repositories - it might be possible to use email between 2 of those and employee ID between the other two. This could require some complex administration and is far from "Automatic". (Note - I am not saying this is a bad idea. Simply that it will likely require some configuration.)

    Do you have some idea of how "Automatic" might be accomplished?

    by: Troy D. | over a year ago

  • You are right. The actual configuration/defining of the 'matching rules' would be something that needs to be done by the administrators of each instance/deployment as it would differ. I was thinking 'automatic' in the sense of the linking after the matching rules are defined. Upon the creation of a user in AAF, it would use the matching rules defined by the administrator to search out other accounts of the same identity and link authenticators.

    by: Tim S. | over a year ago

  • Very good. I understand.

    I believe this feature is needed for convenience and to support our current licensing model.

    by: Troy D. | over a year ago