Date: Thu, 28 Mar 2024 19:03:41 +0000 (UTC) Message-ID: <1735205580.6825.1711652621025@ip-10-10-7-29.ec2.internal> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_6824_1664539374.1711652621025" ------=_Part_6824_1664539374.1711652621025 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
[Note: This is a copy of a page from the Socia= l Identity Working Group wiki space. It will be revised as more<= /strong> Use Cases for External Identities are = collected.]
This page is being used to collect GENERIC Use Cases. Per the usual poli= cy on this wiki, any authenticated user should be able to edit this page.= p>
A set of use cases has been submitted that describe campus central IT ad= ding "social identity people" to the central person registry (and perhaps a= ssociating multiple sets of credentials with an individual); a separate set= of use cases has been submitted which include no role for central IT or fo= r "remembering" anything about the person using social credentials. Both mo= dels seem to have significant numbers of people interested in them. Consequ= ently, both models are likely to be deployed, with campuses choosing a mode= l appropriate to the problem they are trying to solve.
Lin= k to contributed use cases page
Basic Use Case -- short term guest access. Jane Doe att= empts to access Service X at campus Y, because she is working on a project = with John Smith (a faculty member at campus Y). The service requires that s= he authenticate; she navigates through the Discovery Service and uses her g= oogle/yahoo/facebook account to authenticate, and is returned to Service X.= Jane now has the baseline set of permissions at Service X. Later, John giv= es Jane access to the document they are working on together.
Variant one -- short term guest access, email i= nvite, pre-provisioned with certain specific rights. (CMU) Student= Jane logs into the local student system, and navigates to area X. She deci= des to give her parents access to this area. She enters one parent's email = address. The system sends an email to that address; it contains a url with = a token. The parent reads the email, clicks the url, is taken to a service = on the campus. Because there is no existing session, the parent is redirect= ed to a Discovery Service. They select their social service as their IDP, a= re redirected there, authenticate, and are redirected back to the campus. T= his time,they have a session, and consequently are granted access to Jane's= instance of area X.
Variant Two (extending variant one); after authenticati= on the user is taken to a central point of some sort (eg a Gateway); the fi= rst time there the user is taken to a Registration App and the user self as= serts profile info. (need some sort of person registry. The GW constructs a= n EPPN value...)
Variant Three -- (extending variant two); some attribut= es are populated using values asserted by authentication service. (I'm not = sure this is really any different than self-asserted...)
Basic Use Case 2 -- short term guest access. John Smith= (a faculty member at campus Y) is working on a project with Jane Doe; they= are using a wiki service to support their collaborative work. John goes to= the wiki space, and grants Jane's OpenID value R/W access to the space. La= ter, Jane accesses the wiki, authenticates using her OpenID associated acco= unt, and gains access to their shared work space.
Basic Use Case 3 -- (web finger) John Smith is working = with a group of 50 other researchers. He has email addresses for all of the= m; most of the email addresses are based at gmail and yahoo. He maps the em= ail addresses to their associated OpenID values, and then grants all these = OpenID values R/W access to the wiki space supporting their work.
Account linking 1-- built on variant two with= the Person Registry. The Registry remembers all of the accounts that a per= son can use (eg OpenID, institution issued credentials, etc). The user's hi= story and permissions are associated with all of the login accounts. (Perha= ps some privileges require higher LoA authN?)
Account linking 2-- Sara has been accessing t= he public portions of SonnetBlast, a Bamboo workspace, based on an authenti= cation to her FaceBook account. Six months later Sara starts a research pla= n that requires advanced features of SonnetBlast only accessible via federa= ted login using her Wattsamatta U. userid. When Sara logs into SonnetBlast = via the federated login for the first time, Bamboo, seeing this as a new us= er, prompts Sara to create a new account or to use an existing account. If = she indicates that she has an existing account, she is prompted to login vi= a an IdP she has used to access that account. The action identifies the exi= sting account and her new login is then associated with that account.
Account linking 3-- Assistant Professor Kohlr= abi has a Bamboo identity created under his Garden State College issued use= rid. Budget cuts to the university threaten to snowball into layoffs in the= assistant professoriate. Based on Bamboo FAQ advice, He decides to link hi= s Google account to his Bamboo identity as a precaution against losing his = Bamboo portfolio in the event his university credentials are yanked as part= of a termination of appointment.
He authenticates to the Bamboo account linking site with his institution= al identity. He is invited to chose a social identity provider, clicks on a= link that takes him to a Google login popup. After successfully authentica= ting, he is informed that his Bamboo account is now accessible via his goog= le account credentials, regardless of the status of his Garden State ID. Ho= wever, because the rights to access certain online journals and Bamboo data= files depend on faculty status, he will not have access to those resources= when logged in with his Google account. If he leaves GSU and takes an appo= intment at Trenton State, he will regain access to the data files and resou= rces once he links his Trenton State identity via Account Linking Scenario = 2.
Account linking 4-- Professor Jessica Postlet= hwaite holds joint appointments at Harvard and MIT in nanosemiotics. She is= a senior partner in The Semiotics of Nanotechnology Bamboo Workspace. To b= ring together her data files from both MIT and Harvard, she uses the accoun= t linking service to link her Harvard and MIT identities, thereby consolida= ting them under a single Bamboo Person ID. Note that specific access rights= are associated with particular identities, so there are some MIT materials= that she cannot access when logged in via Harvard credentials.
sweden -- specific example of account linking. Person t= ransitions through several stages: applicant (OpenID, social), student (ins= titution issued credentials), alum (back to external credentials). All of t= hese accounts are linked to a single individual.
n-tier case 1 -- (delegation used to access backend ser= vice)
n-tier case 2 -- (impersonation used to access backend = service)
Alumni -- another specific example of account linking. (Carleton College) When alumni password recovery or account claiming = can be managed through the email address on record, so can linking of alumn= i internal accounts with OpenID credentials. Alumni tend to access se= rvices rarely (reunion registration every five years, occasional alumni dir= ectory lookup); it makes so much sense for them to use credentials they use= on a daily basis (like their Gmail account) instead of maintaining and/or = recovering local credentials.
(n-tier) Jane Doe attempts to access S= ervice X at campus Y, because she is working on a project with John Smith (= a faculty member at campus Y). The service requires that she authenticate; = she navigates through the Discovery Service and uses her google/yahoo/faceb= ook account to authenticate, and is returned to Service X. Jane now has the= baseline set of permissions at Service X. Jane clicks a button at Service = X, which sends a query to a backend service; Service X authenticates to the= backend service as Jane.