Versions Compared

Version Old Version 2 New Version Current
Changes made by

carsi_pku_team

carsi_pku_team

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents

SP技术调试前(Before technical debug)

...

        CARSI可向应用资源供以下用户信息:(CARSI provides the following user information to SP:)

1)用户所属大学域名,如pku1)用户所属大学域名,如pku.edu.cn。cn。

1)The domain name of the user's university, such as http:// pku.edu.cn .

2)用户唯一id:唯一代表用户,永久有效,可读性差,不是学工号,可用于用户追查。学工号是很重要的个人隐私信息,在学校内权限很大,不建议SP资源使用。北京大学CARSI项目组在指导学校部署IdP服务时,会提醒在本地安装数据库,保留pairwise-id或eptid和学工号的对应关系。

...

1)用户首次访问应用资源。(CARSI user accesses SP resources for the first time.)

        如应用资源采用手机号、邮箱等作为主键,建议在用户首次通过CARSI访问应用资源时进行二次信息采集。由应用资源系统自动创建新账户,自动生成密码,自动代替用户在应用系统登录。应用资源系统中的用户名、密码为后台数据,不公开给用户,以确保学校CARSI认证是CARSI用户的唯一登录入口,不可跳过CARSI登录直接登录应用资源。身份证号属于高度敏感个人隐私信息,非必要不采集、不使用。如应用资源采用手机号等作为主键,建议在用户首次通过CARSI访问应用资源时进行二次信息采集。由应用资源系统自动创建新账户,自动生成密码,自动代替用户在应用系统登录。应用资源系统中的用户名、密码为后台数据,不公开给用户,以确保学校CARSI认证是CARSI用户的唯一登录入口,不可跳过CARSI登录直接登录应用资源。身份证号、邮箱、通讯地址属于个人敏感信息,不建议采集。

If the SP resource uses the mobile phone number or email address as the primary key, it is recommended to collect secondary information when the user accesses the SP resource through CARSI for the first time. The SP resource system automatically creates new accounts, generates passwords, and logs in to the application system on behalf of users. The user name and password in the SP resource system are background data and are not disclosed to users, so as to ensure that the CARSI authentication of the school is the only login entry for CARSI users. You cann’t skip CARSI login to directly log in to SP resources. The ID number is highly sensitive personal privacy and isn’t necessary National ID numbers、emails and addresses are personal private data and aren’t recommended to be collected or used.

2)用户后续访问应用资源。(Users access SP resources later.)

...

For accessing the SP resource again, after the user completes CARSI authentication and the SP resource receives the user's successful authentication response, the SP resource completes the local login and  SP checks the access rights on behalf of the user, and the user directly enters the post-authorization page.

3)CARSI用户绑定应用资源本地已有账号。3)CARSI用户绑定应用资源本地已有账号。(CARSI user has a local account bound to SP resources.)

        如果应用资源希望CARSI新用户和本地已有账号建立绑定关系,如保留已有用户的使用记录等个性化信息,请在用户首次通过CARSI登录访问应用系统时完成账号关联,同时取消原账号的直接登录应用系统的权限,不可再通过应用系统修改已有账号密码,以确保学校已采购的资源使用权限必须且只能通过CARSI认证后方可进行。如已有账号已经拥有一定的应用资源访问权限(如已交费),请在用户绑定时明确提示用户已有个人使用权限和机构权限的不可兼得,并在系统中提供“解绑CARSI”功能,在用户成功解绑后,恢复密码修改权限和个人已购使用权限。

...