Closed tcmitchell closed 7 years ago
I think we can do a swap of eppn
(and email_address
if it differs) between the two identities to make the switch. This will probably require a new endpoint on the MA customized for this purpose because both eppn
and email_address
are not allowed to change through the normal member_attribute code paths. And also because we want to do this swap as a single database transaction.
Allow a GPO IdP user to swap their GENI account over to an NCSA-based account. Use their internal member id to link to the NCSA account instead of their GPO account. Use member attributes to hold a nonce that allows the user to log in via NCSA and then take over their GPO-based identity.