In a SAML 2.0 Federation flow, once the Service Provider (SP) receives and validates a SAML Assertion from an Identity Provider (IdP), it must determine which local user account the assertion corresponds to. This is the role of the SAML2 Account Mapper.
According to the PingAM 8.0.2 documentation on "Federate Identities" and the "SAML 2.0 Reference":
The SP-side account mapper (specifically the SPAccountMapper interface or its scripted equivalent) is responsible for mapping the remote user (identified in the SAML assertion) to a local user profile in the SP's identity store.
This mapping can be achieved in several ways:
Account Linking: Finding an existing link between the NameID in the assertion and a local DN.
Attribute Matching: Using an attribute from the assertion (like mail) to search the local directory for a matching user.
Auto-Federation: If configured, creating a link or a new profile automatically based on the incoming data.
If the account mapper cannot find a corresponding local profile, the SP cannot create a local session, and the SSO process will fail, typically with a "User not found" or "Local identity not found" error. Thus, the purpose is strictly the identification of the local subject based on the remote assertion (Option D). Options A and B are incorrect as they describe aggregation or account merging which are not the primary function of the SAML mapper. Option C describes "Attribute Mapping," which is a separate step (handled by the Attribute Mapper) that occursafterthe identity has been successfully mapped.
