Menu
▾
▴
[Unity-idm-discuss] some questions about the account mapping
|
From: Sander A. <sa....@fz...> - 2024-08-19 08:22:18
|
Good morning Krzystof, good morning Roman, We are setting up a new unity instance as proxy for services offered by our institute. This should give users always the same look and feel in the login. The main account source is a local OP, but it is also connected to a few selected external OPs. Another condition is that users shall have only one account. For this reason we are using the email address as a second identifier, beside the sub of OIDC. As far as I understood we must use the "REQUIRE_MATCH" policy if both identifiers must match. Can you confirm this? When we are using the "REQUIRE_MATCH" user must create an account, e.g. via No account? Sign up! link in the UI before they login to unity in the normal login flow. Can you confirm this, too? When we use the "CREATE_OR_MATCH" policy unity recognises that users are not registered in the system, if the users login for the first time, but unity would start merging users only by the email from different OPs. Since email addresses are reused in time, we do not want to have a implicit merge by email address only. In 9 years of operating those kind of proxies, we made the experience, the users do not follow the No Account? Sign Up link, if they see the big WAYF and can select their home organisation. Also service providers do not want to have this additional step of clicking on the registration button before users can start using the service. Do you see any possibilities to have the identity mapping like REQUIRE_MATCH but display the registration/associate buttons, if the user is not known in the system? Best regards, Sander -- Large-Scale Data Science Juelich Supercomputing Centre phone: +49 2461 61 8847 fax: +49 2461 61 6656 email: sa....@fz... ----------------------------------------------------------------------- ----------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Prof. Dr. Ir. Pieter Jansens ----------------------------------------------------------------------- ----------------------------------------------------------------------- |
