...
Of course, all of these options may not be available for every social provider, as some do not provide a persistent identifier, some do not provide an email, some provide email but the user can change it, and finally, some offer more than one email. To the last point, Jim noted that Windows Live can return more than one email, and all agreed that if this happens, the Gateway should return all values.
| Notetip | ||
|---|---|---|
| ||
EPPN should be a username, not an opaque ID, and it should not be the user's email address if that can be avoided. In the end, it will probably be up to the SP admin to make the choice, and it is up to us (or the Gateway documentation) to make sure the SP admins understand the ramifications of their choices. |
...
Several options were discussed regarding how to provision a user using their social identifier. Steven gave an example of an application where students will need to grant access to their supervisor from their summer internship, and the supervisor will be logging in via a social provider. Ideally, the user could just enter their supervisor’s social username into the application. Of course, this works great for services where you know the username, like Twitter and Facebook.
| Notetip | ||
|---|---|---|
| ||
Instead of asking end users to provide their social identifier (or the identifiers of others), ask them for an email address. Later, when the user logs into your app in response to an email invitation, map the identifier asserted by the social IdP to the email address originally provided by the user. |
...