What happens when we change our university IDentity Provider (IDP)?

Summary

If your university ever makes changes to your IDentity Provider (IDP), then you will need to be sure that the changes do not change the identifier that Talis will use to find your user profile in Talis systems.

Changes to your IDP have the potential to cause loss of access to Talis Aspire for students, academics, and library staff. Before making any changes to university IDPs, it is essential you contact Talis Support to determine if the proposed changes will have an impact.

Detail

If the persistent ID changes for a given user, Talis Aspire can no longer associate pre-existing user profiles with the user who has signed in. This means that all user data (e.g. My Lists, My Bookmarks, profile information and all permissions) will become inaccessible to the user. To be clear - the data is not lost, but it is inaccessible by the user.

Before making any changes to university IDPs, it is essential you contact Talis Support to determine if the proposed changes will have an impact.

What kind of changes will alter the persistent ID of a user?

  • Changing the access URL of the IDP, e.g. http://myshib.myinst.ac.uk -> http://myshib2.myinst.ac.uk
  • Changing the software platform, e.g. from Shibboleth to OpenAthens
  • Moving from bi-lateral authentication, to authentication via a Federation
  • Releasing new and unexpected attributes to Talis that are also valid user identifiers.
If you are in any doubt, it is best to check with us before making a change. In some circumstances the consulting team can conduct a test to see if the persistent ID will change. Please raise a ticket for further information, giving as much detail as possible about the systems being changed.
 
Minor software changes of the same system do not usually cause an issue. However, it is best to seek reassurance from IT teams that identifiers released in any of the attributes discussed below are not changing.
 
Where a user has not been seen by Talis before, We will look for their user id in one of the following attributes in the order given. 
  1. urn:oid:1.3.6.1.4.1.5923.1.1.1.10
  2. urn:mace:eduserv.org.uk:athens:attribute-def:person:1.0:persistentUID
  3. urn:mace:dir:attribute-def:eduPersonTargetedID
Most customers will be releasing this attribute to us:
urn:oid:1.3.6.1.4.1.5923.1.1.1.10
 
Some long standing customers who have been using very old Open Athens systems for a long time will be releasing a SAML1 attribute and may have had an override added to their tenancy to specifically pick:
urn:mace:eduserv.org.uk:athens:attribute-def:person:1.0:persistentUID
 
If the persistent ID is changing what can I do about it?
 
Talis has a migration feature built into Talis Aspire which allows us to migrate your users from one IDP to another. This relies on your old and new systems being available at the same time. This can often mean running the systems in parallel for several months. 
 
Talis can also batch update users so that their persistent IDs are changed en masse. This is a paid consultancy option and requires your university to be able to supply a file which maps old persistent IDs to new ones.
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.