Review and Discussion of Document draft at: https://docs.google.com/document/d/1IVDjmdCqToB9aGAlF5SVLCmVHskCqmtN7kW_jRhOWPs/edit?usp=sharing
Discussion addressed the following points. David and Eric to edit to incorporate.
- Issue of social providers that will issue a globally unique, persistent identifier that’s not targeted.
- API call limits
- Should there be local and external ID consent?
- Is “you” (the audience) the SP or the IdP?
- Stronger call out of external identities with local identities and without local credentials
- Describing identities versus credentials as a callout
- How do you initiate creation from external ID vs. linking
- Linking across providers… is that the bigger issue?
- Is password reset any different for external identifiers?
- If I lose my social ID (my credential) how do I regain access to my identity?
- Really comes down to attribute alignment and authorization
- Need to manage to “prospects”, have people log in using an external identifier
- Use external credentials with an internal identity
- Only when they accept applications are they granted an internal credential
- At this point will have two credentials, possible different LoAs
- Applicant emails are increasingly high school provided addresses