In current configuration, SSO works on 1 attribute from Payee table.
For example NAMEID=EMAILADRESS for login purposes.
For logging in manually that works fine, but for SSO it is to limited.
As a company, we have a autorisation platform where SSO is currently enabled for ICM based on NAMEID=MAILADRESS.
In order to have more flexibility and enable more of our internal stakeholders and Business Partners to use ICM, it would be a good investment (my opinion of course) to make SSO more flexible.
Example: we have a user of a business partner. He is in payee table and he is able to login manually.
We do not want to have SSO for him at the moment, since he can easily alter his emailadress and login through SSO as a different partner. Big security risk there of course.
In ICM Payee table we have a column where we link the User to a Partner ID.
From the SSO application we are able to sent not just the emailadress, but also the Partner ID (which they can't change).
For that to work with ICM, the configuration of SSO should be changed to 2 attributes instead of 1. In this case, NameID = mailadress and Partner ID = Partner ID.