pbinkley
commented
7 years ago From @weiweishi on October 26, 2016 19:25
Need to clarify what is used for empl-id for generic CCID.
Closed pbinkley closed 5 years ago
pbinkley
commented
7 years ago From @weiweishi on October 26, 2016 19:25
Need to clarify what is used for empl-id for generic CCID.
pbinkley
commented
7 years ago From @mbarnett on January 19, 2017 20:12
@murny we might as well fold this into what you're working on in Hydranorth2
From @pbinkley on March 10, 2016 22:57
After clarification from IST, Sandra reports that the user identity should be tracked by empl-id (which is never reassigned) rather than ccid (which will be withdrawn after some period of time and may be reassigned). Empl-id can be discovered via SAML. All ccids are associated with an empl-id (not just employees). So: empl-id should be retrieved, stored and used as the primary identifier for U of A users; ccids are just a means of authenticating to an empl-id.
In the future, we'll have to deal with situations like this: a grad student deposits a bunch of stuff to ERA, then leaves the university. Their CCID is reassigned. Years later they want access to their old account. They try to log in, but they can't. They click the "forgot my password" link; the notification goes to the current holder of that CCID. Eventually they get in touch with the ERA manager. We'll need policies around how they prove their identity, and then a process to associate their old empl-id with a new email address. It's not likely to happen soon, but eventually it will happen.
Copied from original issue: ualbertalib/HydraNorth#1015