Identify supports a feature called Interceptor, which allows it to map one login to multiple user accounts stored in the same user store – this works equally well in regard to authentication (IdP) and applications (RP).
We believe this feature to be unique among existing federation solutions, and possibly also in terms of identity management solutions, which is quite surprising given that – in our experience – virtually all directory services include at least a few physical users who use more than one user account.
Although most Identity and Access Management solutions are built on the notion that each physical user is represented by just one user account, the reality more often proves much more complex. There are many cases in which the management of data, access, and rights demands that the same user needs to be represented by multiple user accounts. A common example is when a physical user is represented by multiple Active Directory accounts for security and/or compliance reasons.
The new feature in Safewhere*Identify makes it possible to work seamlessly with Active Directory (that is, being able to authenticate using the same set of credentials) even when the user has multiple Active Directory accounts. When a user has been successfully authenticated, Safewhere*Identify looks up all the accounts that belong to the user. If more than one account exists, Safewhere*Identify interactively promts the user to choose the correct account for the given context. This makes it possible to maintain single sign on between multiple user identities even when these exist in the same stores.
But the interactive user profiles selection applies to much more than just Active Directory. It applies to all types of authentication and protocol connections and represents a unique and important capability for supporting an easy transition to the world of federation
The general settings are:
- Intercept login flow: Select this option to enable the interceptor for the connection.
- Name of the main view which the interceptor should use: Enter the view to use, if empty, Identify will use the default viewProfileList.cshtml.
- Interceptor type name: Specify the external DLL name used for the interceptor.
- Interceptor's dependency type: Specify a dependency type, which depends on the customer DLL.
- Additional settings: Specify a pair of key and values, which depends on the customer DLL.
An example of configuring the interceptor for the Facebook plugin and the AD Provider user can be found here. The sample external DLL needs to be put to runtime/bin of tested tenant then restart IIS.