tcmitchell
commented
7 years ago I think we can do a swap of eppn (and email_address if it differs) between the two identities to make the switch. This will probably require a new endpoint on the MA customized for this purpose because both eppn and email_address are not allowed to change through the normal member_attribute code paths. And also because we want to do this swap as a single database transaction.
Allow a GPO IdP user to swap their GENI account over to an NCSA-based account. Use their internal member id to link to the NCSA account instead of their GPO account. Use member attributes to hold a nonce that allows the user to log in via NCSA and then take over their GPO-based identity.