During the November 4 technical committee teleconference there was much discussion about the various use cases/flows a student may take to register through the system. Basically, the discussion broke into two general categories which need to be described.
In this flow, the first place a student goes will be the system's home page. The student will be shown the logos for all the various participants in the system, and will learn how a single system account will Federate their identity and provide single sign on to some or all of each participant's offerings. The student will create a system account at that time, and will be given the option to create identities with each participant.
Some participants will only use the system credentials for authentication, and will only keep enriched participant-relevant data locally. Other participants will require the creation of a separate, locally maintained username and password. In all cases, the system will provide an identifier that is unique to the student that links all the accounts together.
In this flow, the first place a student goes will be a participant's home page. The student will create an account with usename and password that is maintained by the participant. This account may or may not not have a unique identifier attached to it (see questions, below). The student may get 1 or many local participant accounts, each time the student will be given the opportunity to create a system account. Eventually, many students may click on the link to create a system account. At time, if they don't already have a unique identifier, one will be created for them. They will create a new system user name and password, and will use the various participant user names and passwords to link the various participant accounts to the system account.
More to follow.
When a student logs in to a service provider using their system credentials, they are initially directed to the system to perform authn duties. The system will verify the user's identity and return their unique identifier. The service provider will then take the unique identifier to the local identity provider, where additional 'enriched' attributes can be found.