Linked users

Linked users are users in different tenants that all will emit the same unique identifier in the sub claim. The concept can be used in situations where you want to treat different users as a single user no matter which tenant the user signing in belongs too.

Imaging an organisation that have private persons (consumers) as their primary customer. Some of this users also needs to be able to verify that they belong to an organisation to get access to specific applications/services that are oriented towards organisations (and not consumers). Even when the users sign in to an organisation, they still want to be able to get data about the user in their common consumer role. An example could be a sports club where a private person buys tickets and does other interaction in their consumer role, but some of them also sponsors the sport club with their company. As a sponsor the user might be entitled to special applications/services that only sponsors are allowed to use. In this situation the user must be able to prove that they belong to the organisation sponsoring, but it is likely that the user also want easy access to their tickets and other information belonging to their private person profile. This is situations that linked users can help solve.

Linked users will always see all sign-in alternatives for all their users, no matter which username was used to start the sign-in flow. If the same sign-in alternative is used on all users, they will have to choose in which context/tenant they want to sign-in. This can be automatically be done, for example if an application passes tenant information.

Sign-in flow for linked users

For linked users it is likely that one or the other has access to the module the user is signing in to. Authway will try to automatically pick the user with access and also try to switch user if already signed in to the one missing access. The following rules are applied during sign-in:

  • Sign-in alternatives are limited to the user that has access to the module
    • If no user (with the supplied username) have access to the module, the sign-in flow will continue until we display that access is missing (which leaves the possibility to change username).

Limitations of linked users

Linked users comes with the following limitations (or rules):

  • The users that should be linked, must belong to different tenants.
  • If linked user is created with same credentials as parent, all credential changes will be applied on both accounts.
  • It is not possible to link users in hierarchies.
  • The parent user can not be deleted until all linked users are deleted.
  • System users (external systems) can’t be used in linking.
  • If a sign-in is matching two users in the same tenant, the sign-in will always be done with the one where the username matches. For example if a user have the username [email protected] in both Private persons tenant and in Company A tenant, but also have a [email protected] user that is linked to [email protected] in Private person. The scenario also requires that exactly the same password is used on all three users. When signing in into Company A the service will match two users and to select which one to actually sign-in a new match on the username will be performed.