Identity Mapping in OpenID Connect

From Release 12.8.05, Identity Mapping in OpenID Connect lets you authenticate users with one user directory and authorize them with another user directory. The user claims are returned from the user directory that authorizes the user.
Watch the following video for a demonstration on how Identity Mapping works in OpenID Connect:

How Identity Mapping Works
Consider that you have an environment with the following user directories:
User Directory
User Attributes
UD1
mail,cn
UD2
uid, telephoneNumber,ou
Let us assume that UD1 is configured as the authentication user directory in the realm that protects the Authentication URL. In the existing behavior, UD1 must be configured as the authorization user directory in Authorization Provider and the user claims are generated using UD1. With Identity Mapping, UD2 can be configured as the authorization user directory in the Authorization Provider while UD1 is configured as the authentication user directory, and user claims can be retrieved from UD2 instead of UD1.
Identity Mapping in Federation Partnerships
Enable Identity Mapping in OpenID Connect
You can enable the feature using Administrative UI. To enable Identity Mapping at Authorization Provider, perform the following steps in Administrative UI:
Note
: For complete information about configuring an authorization provider, see Authorization Provider Dialog.
  1. Create an
    Authentication - Authorization identity mapping
    entry. For information about configuring an Authentication-Authorization mapping, see Identity Mappings Configuration.
  2. In the Authorization Provider dialog, move the directories that you want to use for authorization into
    Selected Directories
    and select
    Enable Identity Mapping
    option.
    The
    Authorization Identity Mapping
    drop-down list auto-populates the list of authentication-authorization identity mappings that are associated with the selected authorization directories. This list is displayed only if a selected authorization directory matches any of the target directories that are configured in an existing identity mapping.
    For example, consider an environment with user directories UD1, UD2, UD3, UD4, UD5, and UD6, and the following list of authentication-authorization identity mapping entries exists between the directories in an identity mapping object:
    Identity Mapping Name
    Authentication Directory
    Authorization Directory
    IM1
    UD1
    UD2
    IM2
    UD3
    UD4
    IM3
    UD3
    UD5
    IM4
    UD6
    UD4
    1. If only UD2 is selected as the authorization directory in the Authorization Provider configuration, Authorization Identity Mapping displays IM1. When you authenticate with UD1, you can authorize with UD2.
    2. If only UD5 is selected as the authorization directory in the Authorization Provider configuration, Authorization Identity Mapping displays IM3. When you authenticate with UD3, you can authorize with UD5.
    3. If only UD4 is selected as the authorization directory in the Authorization Provider configuration, Authorization Identity Mapping displays IM2 and IM4. Depending on the selection of IM2 or IM4, the associated user directory is used for user authorization.
    4. If UD2 and UD4 are selected as the authorization directories in the Authorization Provider configuration, Authorization Identity Mapping displays IM1, IM2, and IM4. Depending on the selection of IM1, IM2, or IM4, the associated user directory is used for user authorization.
    5. If UD2, UD4, or UD5 are not selected as the authorization directories in the Authorization Provider configuration, Authorization Identity Mapping does not display any values.
  3. Select an identity mapping from the
    Authorization Identity Mapping
    drop-down list.
    If you change the list of selected authorization directories in the Authorization Provider configuration, select the
    Refresh
    icon beside
    Selected Directories
    to retrieve and view the corresponding list of identity mappings.
  4. Configure user claims with UD2 attributes in the Claims Mapping section in the Authorization Provider configuration.
  5. Complete the rest of the fields that are required for configuring the Authorization Provider.