[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: NameID mgmt and account "merging"
I wouldn't exactly call this errata (more like an overlooked use case), but a question arose in our community over whether NameID mgmt was intended as a facility to support merging accounts when an IdP discovers that it has issued two accounts to the same physical person. At least in higher ed, this is a somewhat frequent occurrence because of the imprecision in identifying some kinds of students, particularly international ones. Of course this also can happen any time an IdP allows some kind of self-registration of low assurrance identities, and in other cases. Anyway, the question arose as to what an SP would do if an IdP sent it a ManageNameIDRequest in which the NewID value matched an existing identifier shared between the IdP and SP. Plausible reactions: - This is an error. - The old identifier and new identifier refer to the same principal and the SP could terminate and cleanup the old identifier/link, merging other information or not at its discretion. - Panic and terminate both identifiers. - Others.... In my mind, a merge would be the sort of thing that is covered under the broad heading of "what the shared identifiers mean to the deployers", much like AllowCreate, and would be a deployment option how to respond, but this seems like a potential interop issue that should be clarified, even if it precludes supporting the use case. My impression is that it was not the subject of any discussion in ID-FF. -- Scott
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]