CARSI基本调试要求(CARSI Basic Debugging Requirements)

SP技术调试前(Before technical debug)

开始调试前请仔细阅读:(Please read carefully before starting debugging)

1. CARSI基本调试要求:(CARSI basic debugging requirements)

1.1 应用资源产品形态确认(1.1 Confirming the Product modality of SP resource)


SP need to plan the Product Modality of joining CARSI products in advance, such as PC, client , and mobile terminal (App, wechat mini program, wechat public account, and mobile browser). When doing technology debugging,SP need to consider the product modality that supports CARSI access and clearly stated in the CARSI User Visit Guide.

1.2 CARSI可提供的用户身份信息(1.2 User Identity Information from CARSI)

        CARSI可向应用资源供以下用户信息:(CARSI provides the following user information to SP:)


1)The domain name of the user's university, such as .


2)User unique id: only represent the user, permanent valid, poor readability, not student ID, can be used for user tracing. Student ID is a very important personal privacy information, the school has a large authority, it is not recommended to use. When guiding schools to deploy IdP services, PKU CARSI team will remind to install the database locally and retain the correspondence between pairwise-id or eptid and student ID.


3)User identity: faculty, staff, student, alum, member, affiliate, employee, and other. The above values are standard values. Suggesting SP check them when authorizing users. To ensure consistency with the scope of services for which the university has signed a purchase contract. If SP intends to focus on developing customers in higher education, it is recommended to provide exclusive service content or discounts for CARSI users that are superior to market policies.


4)Other user information can be collected twice when the user logs in and accesses the application system through CARSI for the first time.

2. CARSI账号和应用资源本地账号的绑定(Binding a CARSI account to a local account of SP resources)


Before starting technical debugging with PKU CARSI team, the debugging engineer should confirm the unique identification of the user identity of the SP resources (primary key). SP resource join CARSI requires certain technical development, which mainly focuses on establishing the corresponding relationship between CARSI user id (pairwise-id or eptid) and local user identity unique identifier (primary key), and authorizing users according to the local user identity. The internal management of SP resourceS for a type of user is based on the primary key, the universitY to which the user belongs, and the user identity.SP need to process according to the following scenarios:

1)用户首次访问应用资源。(CARSI user accesses SP resources for the first time.)


If the SP resource uses the mobile phone number or email address as the primary key, it is recommended to collect secondary information when the user accesses the SP resource through CARSI for the first time. The SP resource system automatically creates new accounts, generates passwords, and logs in to the application system on behalf of users. The user name and password in the SP resource system are background data and are not disclosed to users, so as to ensure that the CARSI authentication of the school is the only login entry for CARSI users. You cann’t skip CARSI login to directly log in to SP resources. The ID number is highly sensitive personal privacy and isn’t necessary to be collected or used.

2)用户后续访问应用资源。(Users access SP resources later.)


For accessing the SP resource again, after the user completes CARSI authentication and the SP resource receives the user's successful authentication response, the SP resource completes the local login and  SP checks the access rights on behalf of the user, and the user directly enters the post-authorization page.

3)CARSI用户绑定应用资源本地已有账号。(CARSI user has a local account bound to SP resources.)


If SP resources want to bind new CARSI users to existing local accounts, such as retaining personalized information such as usage records of existing users, please complete the account association when users log in to the application system through CARSI for the first time, cancel the permission of the original account to directly log in to the application system, and cannot change the password of the existing account through the application system. To ensure that the right of the purchased resources must and can only be certified through CARSI. If an existing account already has rights to SP resources (such as paid ), please clearly remind the user that the existing personal access rights and institutional access rights cann’t be combined,and provide the "unbind CARSI" function in SP system. After the user is successfully unbound, SP restores the password changing rights and individual purchasing rights.