Managing Connections with Service Providers on Access Manager

Hi.
 
I signed up on Access Manager portal (https://idp.somedomain.com/nidp/portal?locale=en_US) and click on the right corner menu. Manage Auto-Connect is one of the options from drop down menu.
I am trying to figure out what is "Manage Auto-Connect". I can see some list of service providers with broken connection status and when I click "Enable Auto-Connect" under action nothing happen. Also it shows message on the right "<name of the SP> has access to http://schemas.xmlsoap.org...."
 
What is the purpose of this option?
 
Thanks for any feedback.
 
G
  • I'm also curious what this 'feature' does. What I notice is that only applications that use NameID persistent can 'connect'.

  • Use the Manage Auto-Connect option in the menu to auto-connect your accounts when accessing the user portal on an identity provider. When you auto-connect an account, you are telling your service provider to trust the authentication established at your identity provider.

    For example, if your company and a service provider have entered a trust agreement, you can auto-connect the accounts when you sign on to a service provider. After you auto-connect the accounts, Access Manager enables single sign-on. With single sign-on, you provide login credentials only once to be automatically authenticated and logged in to all service providers with whom you have previously connected. This is possible because the service providers trust the authentication provided by your identity provider. Changing login credentials at the service providers to match the identity provider is not necessary.

    On this page, the following options are available for the service providers that your identity provider trusts:

    • Disable Auto-Connect: Breaks the link between the user accounts.

    • Enable Auto-Connect: Links two user accounts. You authenticate once and retain control over how your personal information and preferences are used by the service providers.

  • This is a copy paste from the documentation but doesn't really say much about what it actually does

  • As per my understanding the Persistent federation needs an account linking between SP and IDP. When you click on the Enable AutoConnect, IDP will generate name identifier for that particular SP.

    Clicking on the Disable AutoConnect will send a de-federation to the Service Provider to unlink the previous mapping.

    <SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/">
    <SOAP-ENV:Body>
    <samlp:ManageNameIDRequest ID="idY7SBH4NTHlXropnncUMwoBNk1kY" IssueInstant="2021-04-12T18:13:37Z" Version="2.0" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol">

    However, the SP should support the ManageNameIDRequest endpoint.

  • In the real world, it is extremely unlikely you will encounter an SPs that uses Persistent NameID as it is meant to be used. So this feature not really useful. If you're doing "normal" federation to SaaS apps, then you really wouldn't want to do this even if the app supported the ManageNameIDRequest endpoint...which none of them do.