Customize Shibboleth SSO login process to migrate persistent identifier from eppn to uid

[haarli]

Via MPG SSO login, most users can choose between two different Identity Providers: The one of their institute and the "Other users" option, which forwards to the IdP of the Headquarter.

For both options, the eppn attribute and the uid attribute is returned. The uid corresponds to the personell number of the user. The eppn differs, dependent on the institute

Example User 1

• Login via institute
  • eppn: instituteEppnUser1
  • uid: uidUser1
• Same user login via "Other users"
  • eppn: uidUser1@vw.mpg.de
  • uid: uidUser1

Example User 2

• Login via institute
  • eppn: instituteEppnUser2
  • uid: uidUser2
• Same user login via "Other users"
  • eppn: uidUser2@vw.mpg.de
  • uid: uidUser2

Problem:
Currently, a combination of the IdP id and the eppn is used by Dataverse to identify an user, e.g.
idp-id|instituteEppnUser1

This identifier is set the first time a user logs into Dataverse.
If a user logs in the first time via the institute, and another time via "Other users" (or vice versa), they cannot be identified by their eppn. The system prompts the page for a creating a new user, which will fail because the email address already exists in the system.

Possible solution
Change from eppn to uid (=personell number) as unique identifier in Dataverse.
Users which already have an account in Dataverse have to be migrated. As there's no mapping eppn <-> uid available, the migration process has to be done for each user individually on their next login attempt:

Example User 1 logs in:

• Check if user is available via its uid-based id: idp-id|uidUser1 and there is NO entry for idp-id|instituteEppnUser1
  • Yes: log user in
  • No: next step
  • The check for NO EPPN is for user that have multiple institute accounts
• Check if user is available via its eppn-based id: idp-id|instituteEppnUser1
  • Yes:
    • Change user identifier in dataverse to the uid-based id only if there is no idp-id|uid already there
    • Log user in
  • No: Next step
• Check if user is available via a simulated eppn-based id for the headqarter IdP. As these eppns mostly consist of the format personellnumber@vw.mpg.de: idp-id|uidUser1@vw.mpg.de
  • Yes:
    • Change user identifier in dataverse to the uid-based id only if there is no idp-id|uid already there
    • Log user in
  • No: Prompt page for new user

Problems/Questions

• Can we be sure that headquarter IdP eppn is always uid@vw.mpg.de?
• Migration process is not working when an existing user first logged in in via institute, and then later via "Other users". -> no match with eppn or uid