COmanage Registry is capable of tracking various identifiers with several characteristics:
- Is the identifier attached to an Organizational Identity or to a CO Person?
- What type is the identifier? Note that Extended Types are available for identifiers.
- Can the identifier be used to login to the platform?
This last item is important to understand, especially in a multi-tenant environment. When a person authenticates to COmanage Registry, it is expected that they are using an external or federated identity mechanism. The identifier returned by the authentication system is looked up in the identifiers table. If a corresponding identifier is found that is enabled for login, then that identifier is permitted to log in to the platform. The identifier is then checked for one or matching Organizational Identities, which in turn can be used to identify corresponding CO People.
If login identifiers will be assigned by COs within Registry, and if different COs assign the same login identifier, the expectation is that identifier refers to the same person (who therefore must have access to both COs). This is consistent with the current design, where the entire platform expects a single authentication system that applies to all COs. If different COs expect to use different authentication systems, they cannot share the same platform.