Local Account Registration in IdP

A user must send account credentials to IdP to authenticate himself. If a user entered credentials to a local account, and the credentials are valid, IdP automatically creates a specific resource corresponding to the local account. This process is called local account registration in IdP. The created resource is called local account resource. Local account resource is also created when a delegation rule is added for a local account. IdP uses local account resources in further operations. For details on delegation rules, see the Delegation Rules Management Interface section.

Typically, an SP should update or remove the resource when it updates ID of a corresponding local account or removes the local account from its database. A local account resource can be changed or removed with HTTP methods.

All local account resources can be divided into two groups: resources created by adding a delegation rule, and resources created on users authentication. Local account resources pertaining to the first group are permanently stored in the IdP database. They are removed only if a corresponding delegation rule is removed. The resources pertaining to the second group are temporary stored in the IdP database; IdP removes a resource when a user logs off a corresponding local account.

Each local account resource is of a specific format defined in Appendix. The resource name is props; it contains only the account_id parameter that stores a local account ID. An SP can change the account_id value or remove a local account resource.

IdP retrieves the account_id value from <NameID> element of a <AuthnRequest> assertion sent by SP. For details on authentication assertions, refer to the 3.4 Authentication Request Protocol of the SAML Specification. The account ID can be also set by SP via Delegation Rules Management interface. We do not consider this case because the interface is not documented.

Local account resource URL: <IDP_API_BASE_URL>/sp/<sp_id>/accounts/<account_id>/props

The sp_id is the SP identifier given by IdP on registration of SP in IdP. For details on the registration process, refer to the Registering Sp in IdP section.

The account_id is defined by the value of the saml:NameID element nested inside the authentication request message. For details, refer to the 2.2.3 Element <NameID> section of the SAML Specification.