Local Account ID Mapping Interface

Generally, implementation of the Local Account ID Mapping interface supposes that your web application/service is able to resolve a list of local account IDs sent by IdP to local account login names and send them back to IdP.

Particularly, your web application/service must be able to do the following:

• Receive and process HTTPS POST request packets from IdP.
• Issue the local account login name corresponding to a given local account ID
• Send HTTPS responses to IdP

Possible scenario

For instance, the SP stores IDs and login names of its accounts in a database. Additionally, the SP has a service that resolves the IDs to login names. Then, local account IDs mapping via the interface is performed according to the following scheme:

1. IdP sends to the service an HTTPS POST request packet. The packet body contains a list of local account IDs.
2. The service retrieves the list and resolves each ID to a login name.
3. The SP sends the list of login names back in the response packet body.

Then the control is passed back to the SP which listens on its interfaces for packets from IdP.

Interface endpoint

The service mentioned in the previous paragraph must fetch HTTPS POST packets coming to a specific URL. This URL is specified on an SP registration in IdP (the name_mapping_url parameter). For instance, it can be SP_BASE_API_URL/mapping. This may require reconfiguration of the HTTP server which manages your web application/service. For details on registration parameters, refer to the IdP Interfaces>Back Channel Interfaces>Configuration of SP in IdP Interface>Registering SP in IdP section of the Specification.

Note: It is recommended to accept only packets that have a valid IdP certificate.

Source code

The source code that illustrates the interface implementation is stored in <APS-Identity-SDK-directory>/src/examples/auth/name_mapper.php.

For step-by-step commented source code of name_mapper.php, refer to the Sample section.