SWITCH Identity Blog

The Identity Blog puts the spotlight on identity management, digital identities, identifiers, attributes, authentication and access management.

There Can Be Only One!

1 Comment

As a child of the 80’s, of course I have seen the movie “Highlander”. In our “clone wars” (referencing Star Wars) against edu-ID duplicate accounts, I therefore remember the famous high lander quote “there can be only one”. Slightly adapted, this quote fits: “There can be only one edu-ID account per person”. Thanks to the automatic merging process described in this article, we now have the weapon in our hands to reach this goal.

As written in the recent blog post on duplicate accounts, having no duplicate accounts is impossible to achieve and we cannot prevent all duplicate accounts from being created accidentally or on purpose. However, since 2017 the edu-ID support team can merge duplicate accounts and since May 2018 edu-ID users can merge their duplicate accounts on their own. So, how does this work?

Account-Merge-0

If the edu-ID platform detects a possible duplicate account (e.g. because somebody links an already linked AAI account), we inform the user on the web page and up to twice via e-mail about the possibility to merge duplicate accounts. If  the user follows our advice, a click on the Remove Duplicate Account [link] link initiates the account merging process. This process consists of the following steps:

Step 1: Proof that Both Accounts Belong to You

 

Account-Merge-2

Of course, we want to ensure that users can only merge their own accounts. Therefore, they have to successfully authenticate with both accounts first to proof this. In case of forgotten credentials, the normal password reset process must be used first.

Step 2: Choose Which Account to Keep

 

Account-Merge-3

During the merging process, one account is deleted and its data is added to the remaining account where reasonable, depending on the quality of the data. The merging process uses a heuristic algorithm to make a recommendation on which account to keep. Generally, this is the account with more activity.

Step 3: Confirm the Account Merging

 

Account-Merge-4

Merging two accounts has likely certain side effects because one of the two accounts will be deleted. This step makes the user aware of potential consequences when proceeding. When the user proceeds, the actual merging happens within seconds.

The Result

 

Account-Merge-5

At the end of the merging process, there is indeed only one edu-ID account remaining for this user. The other account was “killed in action” but some of its data lives on in the remaining account, which – as in the Highlander movie – is now even stronger. Of course, the user receives a confirmation email with a merging receipt as reference. This e-mail also explains what data was added to the remaining account.

Side Effects

In the merging process, one account gets deleted. So, not surprisingly another slightly adapted Lord of the Rings quote applies: “One does not simply merge two edu-ID accounts without side effects“.

The deleted account may have been used to access some services, which recognize the user by an identifier attribute (e.g. swissEduPersonUniqueID, swissEduID, eduPersonPrincipalName, eduPersonUniqueId) of the now deleted account. Because these single-valued identifier values cannot be added to the remaining account, the user may loose access to the same content and privileges on certain services. Therefore, the merging process automatically informs all services the user accessed with the deleted account. The e-mail sent to the technical contacts of the services lists the modified identifier attributes. There is also a link to a merging receipt web page that contains the changed values for a user and a given service. The merging receipt is automatically deleted after some time.

 

Account-Merge-7

The merging receipt page includes instructions that help a service administrator to apply the changes necessary to grant again access for the remaining account. If the changes get applied in a timely manner, the user will be able to access all services again with his remaining account having access to the same content and privileges like he had with the two duplicate accounts.

Author: Lukas Hämmerle

I'm a member of the SWITCHaai team, the Swiss edu-ID team and task leader in the GÉANT project.

One thought on “There Can Be Only One!

  1. From the user’s piont of view in step 3: what does “identity data from the other account will be merged if possible” actually mean? Will there be services that can no longer be accessed? In the section “Please read before you continue” it is not explained what the first sentence. You describe some of those side effects later here in the blog entry but the user does not know nor can he understand the implications of this merge.

    I think step 3 should be more clear on what actually happens and which services might be affected.

    Like