Account Renames
We use a name-based user ID for our accounts on campus. People change names for various reasons, and they want to have the option to change their user ID to match their new name. Most of the software that we use uses the user ID as a unique identifier for the user. It assumes that identifier is immutable, and it is not. When a user has their user ID changed, they typically lose access to their accounts unless those systems can be made aware of the ID change.
In the fall of 2022 we are introducing a new attribute to our IdPs. The
attribute is called ncsuRenames. When a user has their user ID
changed, we keep a record of the old ID. That ID will be passed in this
attribute.
This attribute uses a custom name:
| AttributeID | SAML2 Name | Suggested ENV Name |
|---|---|---|
| ncsuRenames | ncsuRenames | SHIB_RENAMES |
Values
- If the user has not had their account renamed, this attribute will not be passed.
- If the uid has been renamed, the previous uid(s) will be sent.
- This attribute is not scoped, so it will pass
unityidand notunityid@ncsu.edu. - This attribute may have multiple values, but that is unlikely. The data source provides old-name to new-name mappings but does not chain the results for an account that has been renamed more than once.
Requesting This Attribute
All Service Providers (SPs) registered with the NCSU Federation will be sent this attribute by default. SPs using InCommon Federation can request the attribute release from shibboleth-help@ncsu.edu.
Using the Attribute
If your software can be programmed to look for this attribute, this is an example flow of how your software can use it.
- The user logs in to Shibboleth.
- Shibboleth send their new
uidoreduPersonPricipalname. - The software looks for the matching account, but doesn't find one.
- The software then looks for the
ncsuRenamesattribute and gets the user's previous uid. - If that account exists, the software can rename the account and the user will not lose their previous access.
- If not, then the software can create a new account for the user like it would have done before.
We plan to implement this process in the MARS authentication plugin for wordpress that we support for campus users. If you are using wordpress and running on OIT Web Publishing or OIT cPanel servers, you will get this update automatically.
If you are running Wordpress + MARS on your own servers. Or, if you are
running any other software and you want to receive the ncsuRenames
attribute, you will need to
to make sure you have added an entry for it in your Attribute Map file.
Sites that are using our suggested mappings can simply download the
updated file from sample30-attribute-map.xml and replace the copy
found on your server at /etc/shibboleth/attribute-map.xml .
If you want to manually add the mapping, edit your /etc/shibboleth/attribute-map.xml file and add an entry like this to it:
<Attribute
name="ncsuRenames"
id="SHIB_RENAMES" />
If you are not using our suggested mappings, you can change the id="SHIB_RENAMES" entry above to a name of your choice. The SP will return that name as an environment variable to your programs.
After you have updated your map file, restart shibd and test to verify the new attribute is being passed in the environment.