SP技术调试前（Before technical debug）

开始调试前请仔细阅读:（Please read carefully before starting debugging）

1. CARSI基本调试要求:（CARSI basic debugging requirements）

1.1 应用资源产品形态确认(1.1 Confirming the Product modality of SP resource)

        资源提供方需提前确定好计划加入CARSI产品的运行形态，如PC端、客户端、移动端（手机App、微信小程序、微信公众号、手机浏览器）等。技术调试时，需考虑支持CARSI访问的产品形态，并在CARSI用户访问流程文档中明确说明。

SP need to plan the Product Modality of joining CARSI products in advance, such as PC, client , and mobile terminal (App, wechat mini program, wechat public account, and mobile browser). When doing technology debugging,SP need to consider the product modality that supports CARSI access and clearly stated in the CARSI User Visit Guide.

1.2 CARSI可提供的用户身份信息(1.2 User Identity Information from CARSI)

        CARSI可向应用资源供以下用户信息：(CARSI provides the following user information to SP:)

1）用户所属大学域名，如pku.edu.cn。

1）The domain name of the user's university, such as pku.edu.cn .

2）用户唯一id：唯一代表用户，永久有效，可读性差，不是学工号，可用于用户追查。学工号是很重要的个人隐私信息，在学校内权限很大，不建议SP资源使用。北京大学CARSI项目组在指导学校部署IdP服务时，会提醒在本地安装数据库，保留pairwise-id或eptid和学工号的对应关系。

2）User unique id: only represent the user, permanent valid, poor readability, not student ID, can be used for user tracing. Student ID is a very important personal privacy information, the school has a large authority, it is not recommended to use. When guiding schools to deploy IdP services, PKU CARSI team will remind to install the database locally and retain the correspondence between pairwise-id or eptid and student ID.

3）用户身份：faculty（教师）、staff（员工）、student（学生）、alum（校友）、member（成员）、affiliate（附属人员）、employee（聘用人员）、other（其他），以上取值为标准取值，建议SP在授权用户时检查，以确保与学校已签署采购合同的服务范围一致。如公司有意重点发展教育行业客户，建议与北大CARSI团队老师沟通，为CARSI师生提供优于市场政策的专享服务内容或折扣。

3）User identity: faculty, staff, student, alum, member, affiliate, employee, and other. The above values are standard values. Suggesting SP check them when authorizing users. To ensure consistency with the scope of services for which the university has signed a purchase contract. If SP intends to focus on developing customers in higher education, it is recommended to provide exclusive service content or discounts for CARSI users that are superior to market policies.

4）其他用户信息可在用户第一次通过CARSI登录、访问应用系统时二次采集。

4）Other user information can be collected twice when the user logs in and accesses the application system through CARSI for the first time.

2. CARSI账号和应用资源本地账号的绑定(Binding a CARSI account to a local account of SP resources)

        和北大CARSI项目组开始技术调试前，请调试工程师确定好应用资源的用户身份唯一标识（主键）。应用资源接入CARSI需要一定的技术开发，主要集中在建立CARSI用户id（pairwise-id或eptid）和本地用户身份唯一标识（主键）的对应关系，依据应用资源本地用户身份对用户进行授权。应用资源内部对某一类用户的管理依据应用资源主键、用户所属学校和用户身份完成。应用资源需对以下几种场景分别处理：

Before starting technical debugging with PKU CARSI team, the debugging engineer should confirm the unique identification of the user identity of the SP resources (primary key). SP resource join CARSI requires certain technical development, which mainly focuses on establishing the corresponding relationship between CARSI user id (pairwise-id or eptid) and local user identity unique identifier (primary key), and authorizing users according to the local user identity. The internal management of SP resourceS for a type of user is based on the primary key, the universitY to which the user belongs, and the user identity.SP need to process according to the following scenarios:

1）用户首次访问应用资源。(CARSI user accesses SP resources for the first time.)

        如应用资源采用手机号、邮箱等作为主键，建议在用户首次通过CARSI访问应用资源时进行二次信息采集。由应用资源系统自动创建新账户，自动生成密码，自动代替用户在应用系统登录。应用资源系统中的用户名、密码为后台数据，不公开给用户，以确保学校CARSI认证是CARSI用户的唯一登录入口，不可跳过CARSI登录直接登录应用资源。身份证号属于高度敏感个人隐私信息，非必要不采集、不使用。

If the SP resource uses the mobile phone number or email address as the primary key, it is recommended to collect secondary information when the user accesses the SP resource through CARSI for the first time. The SP resource system automatically creates new accounts, generates passwords, and logs in to the application system on behalf of users. The user name and password in the SP resource system are background data and are not disclosed to users, so as to ensure that the CARSI authentication of the school is the only login entry for CARSI users. You cann’t skip CARSI login to directly log in to SP resources. The ID number is highly sensitive personal privacy and isn’t necessary to be collected or used.

2）用户后续访问应用资源。(Users access SP resources later.)

        对应用系统的再次访问，在用户完成CARSI认证、应用系统接收到用户认证成功应答后，应用系统代替用户完成本地登录并进行访问权限检查，用户直接进入授权后页面。

For accessing the SP resource again, after the user completes CARSI authentication and the SP resource receives the user's successful authentication response, the SP resource completes the local login and  SP checks the access rights on behalf of the user, and the user directly enters the post-authorization page.

3）CARSI用户绑定应用资源本地已有账号。（CARSI user has a local account bound to SP resources.）

        如果应用资源希望CARSI新用户和本地已有账号建立绑定关系，如保留已有用户的使用记录等个性化信息，请在用户首次通过CARSI登录访问应用系统时完成账号关联，同时取消原账号的直接登录应用系统的权限，不可再通过应用系统修改已有账号密码，以确保学校已采购的资源使用权限必须且只能通过CARSI认证后方可进行。如已有账号已经拥有一定的应用资源访问权限（如已交费），请在用户绑定时明确提示用户已有个人使用权限和机构权限的不可兼得，并在系统中提供“解绑CARSI”功能，在用户成功解绑后，恢复密码修改权限和个人已购使用权限。

If SP resources want to bind new CARSI users to existing local accounts, such as retaining personalized information such as usage records of existing users, please complete the account association when users log in to the application system through CARSI for the first time, cancel the permission of the original account to directly log in to the application system, and cannot change the password of the existing account through the application system. To ensure that the right of the purchased resources must and can only be certified through CARSI. If an existing account already has rights to SP resources (such as paid ), please clearly remind the user that the existing personal access rights and institutional access rights cann’t be combined,and provide the "unbind CARSI" function in SP system. After the user is successfully unbound, SP restores the password changing rights and individual purchasing rights.