User creation strategies
This package provides various strategies to customize how users from the
Helmholtz AAI are added to the application. As soon as a user has been added,
we save the unique identifier (eduperson_unique_id) and the user will be
mapped to the same django user on each login via the helmholtz AAI.
However, the question is how users are added to the application. We face two challenges here:
how to map users from the helmholtz AAI to existing users in Django (in case your application existed already prior to using django-helmholtz-aai)
how to handle the change of login providers in the helmholtz AAI? One person can have multiple accounts in the Helmholtz AAI (one via OrcID, one via GitHub). So what shall we do, when the user logs in from different accounts in the Helmholtz AAI
There are a variety of strategies to tackle these two challenges and we desribe them in the following section.
Core concept
We distinguish two major cases:
the email of the user does not exist in our database
When the email exists already, we have the following options:
create-newWe create a new user of the application
no-newWe tell the user that a login is not
manualWe ask the user to tell us an existing email in the application and verify the login
the email of the user exists already in our database
When the associated user account already has an associated
eduperson_unique_id, we can eitherupdate this
eduperson_unique_idand delete the old one,create an entirely new account,
let the user decide, whether he wants to update the existing account or create a new one,
or prevent the user from logging in.
When the user does not already have an associated
eduperson_unique_id, we can eitherassociate the new
eduperson_unique_idwith the django user,prevent the login,
let the user decide, whether he wants to update the existing account or create a new one,
or create an entirely new account.
A combination of these choices describe the strategy that you can set via the
HELMHOLTZ_CREATE_USERS_STRATEGY. We do not yet cover all
possible combinations of the above scenarios. In general, the strategy is a
combination of up to three strings, the default is
["create-new", "no-map", "no-duplicated-helmholtz"], which implements that
we create new users, but we prevent creation of new users when there is already
a user with the same email. Another common strategy will be simply
["create-new"] which will always create new user accounts for each user in
the Helmholtz AAI.
Implemented strategies
Not all strategies are implemented yet, but the following setups can be used:
Description |
Implementation |
|
|---|---|---|
'create-new'
|
always create new users:
|
|
'create-new',
'no-duplicated-helmholtz',
'no-map'
|
Create new users, when the email does not yet exist
|
|
'create-new',
'duplicate-helmholtz',
'map-existing'
|
Map helmholtz users to existing users, but create new users when they have been mapped already
|
|
'create-new',
'map-existing',
'remap-helmholtz'
|
Map helmholtz users to existing users, and update the user when the user logs in from another account in the Helmholtz AAI
|
|
'create-new',
'duplicate-helmholtz',
'no-map'
|
Prevent an update of existing users, but allows duplicated users in the Helmholtz AAI
|
|
'manual-new',
'map-existing',
'no-duplicated-helmholtz'
|
Map users where possible, or let the user decide, whether he wants to update an existing user. But prevent an update of existing helmholtz users.
|
|
'no-new'
|
Prevent any unknown user
|
|
'map-existing',
'no-duplicated-helmholtz',
'no-new'
|
Prevent new users or duplicated helmholtz accounts, but map where possible
|
|
'map-existing',
'no-new',
'remap-helmholtz'
|
Prevent new users, map where possible and update existing helmholtz accounts
|
|
'duplicate-helmholtz',
'no-map',
'no-new'
|
Prevent new users or updating existing standard django users, but allow creating new helmholtz users for existing helmholtz members
|
|