kristen101606
commented
4 months ago See comments on this issue in this Slack thread.
Open kristen101606 opened 5 months ago
kristen101606
commented
4 months ago See comments on this issue in this Slack thread.
Note there is an ongoing discussion about whether we'll make a UI or have engineers manually add representative user OGC Registration Numbers for the pilot (see this Slack thread and the canvas). We are pausing this ticket until a decision has been made.
Tentative MVP login process description
To log into ARP, a user will have to first have or create an account with Login.gov or ID.me. Login.gov and ID.me both strenuously recommend that users do not create more than one account, they should use the same account for all services. However, it's likely possible for users to create a Login.gov/ID.me account tied to a work email just for ARP.
To use any of the functions of ARP, the user will need to have verified their identity with ID.me/Login.gov, which will give them IAL2/LOA3. If the user tries to log in without verifying their identity, ARP will display an error message e.g. "You'll need to verify your identity first".
To submit a 21a form, the user does not need to be an accredited representative. Any IAL2/LOA3 verified user can submit a 21a.
To accept or reject digital 21-22 requests or take any rep-related actions on behalf of veterans, the user does need to be an accredited representative. We're exploring using the email address OGC has on file as a second factor to verify who the user is in the accredited representative list. ID.me and Login.gov both support associating multiple email addresses with an account. To associate an email address with an ID.me/Login.gov account, you have to add it on ID.me/Login.gov, then click a verification link sent to that email address to verify that you have access to that email. When a user logs in, we can obtain all of the email addresses associated with their account from the Sign in Service.
If a user logs in who does not have the email on file with OGC associated with their Login.gov/ID.me account, we might display a message that says something like "You're successfully logged in. To enable features that only accredited representatives can access, you'll need to associate the email on file with the Office of General Counsel with your Login.gov/ID.me account. For ID.me, {insert instructions}. For Login.gov, {insert instructions}. If you don't know the email address you have on file, use Find a Rep to look it up(?)}
A few users (~7) appear to use a shared email inbox for their OGC email. We'll likely require that those users change their email to a unique address to log into ARP. In that case, if a user tries to log in with an email on file with OGC that is not unique, we'll display a message saying so.
If a user logs in with an LOA3/IAL2 Login.gov/ID.me account and one of the emails returned by the identity provider matches an email on file with OGC, we'll then need to check that they're allowed to accept/reject 21-22s. For the pilot, this will likely be a manually updated whitelist. If the user isn't on the whitelist, we could display a message saying something like "You're successfully logged in and we've verified that you're an accredited representative affiliated with the following orgs: {Org1} {Org2}. We're running a pilot to digitally submit 21-22 forms, so that representatives can get instant access to SEP. For questions or to request access, contact xxxx@va.gov."
Pilot user whitelisting
Output
Leads or Collaborators
Resources
Acceptance Criteria