Generally, implementation of the Local Account ID Mapping interface supposes that your web application/service is able to resolve a list of local account IDs sent by IdP to local account login names and send them back to IdP.
Particularly, your web application/service must be able to do the following:
For instance, the SP stores IDs and login names of its accounts in a database. Additionally, the SP has a service that resolves the IDs to login names. Then, local account IDs mapping via the interface is performed according to the following scheme:
Then the control is passed back to the SP which listens on its interfaces for packets from IdP.
The service mentioned in the previous paragraph must fetch HTTPS POST packets coming to a specific URL. This URL is specified on an SP registration in IdP (the
name_mapping_url parameter). For instance, it can be
/mapping. This may require reconfiguration of the HTTP server which manages your web application/service. For details on registration parameters, refer to the IdP Interfaces>Back Channel Interfaces>Configuration of SP in IdP Interface>Registering SP in IdP section of the Specification.
Note: It is recommended to accept only packets that have a valid IdP certificate.
The source code that illustrates the interface implementation is stored in
For step-by-step commented source code of
name_mapper.php, refer to the Sample section.