|
| 1 | +# Technical Documentation: Internal Placeholder Identifier |
| 2 | + |
| 3 | +The **Internal Placeholder Identifier** feature allows institutions to bridge the gap between their local identity management systems and the external eduID ecosystem. It enables "Pre-Provisioning," where an institution can assign roles and rights to a user in their internal systems *before* that user has accepted an invitation or linked their eduID. |
| 4 | + |
| 5 | +## 1. Functional Overview |
| 6 | + |
| 7 | +An institution can associate a local, internal ID (e.g., a staff number or temporary registration ID) with an invitation. When the user accepts the invitation, this identifier is used to synchronize the account with the institution’s downstream systems. Once the connection is established, the system transitions to using the permanent eduID identifier for all future updates. |
| 8 | + |
| 9 | +--- |
| 10 | + |
| 11 | +## 2. API Specification (`POST /api/external/v1/invitations`) |
| 12 | + |
| 13 | +The Invitation API supports two mutually exclusive methods for specifying recipients. You must use **either** the standard `invites` list **or** the `invitesWithInternalPlaceholderIdentifiers` list. |
| 14 | + |
| 15 | +### Request Constraints |
| 16 | + |
| 17 | +* **Mutually Exclusive:** Do not populate both arrays in a single request. |
| 18 | +* **Requirement:** At least one email address must be present in one of the two arrays. |
| 19 | +* **Labeling:** This field is explicitly named `internalPlaceholderIdentifier` in the API and UI to encourage its use as a transient "stand-in". |
| 20 | + |
| 21 | +### Request Body (`InvitationRequest`) |
| 22 | + |
| 23 | +| Attribute | Type | Description | |
| 24 | +| --- | --- | --- | |
| 25 | +| `invites` | Array (String) | Standard email list for users without pre-provisioned internal IDs. | |
| 26 | +| `invitesWithInternalPlaceholderIdentifiers` | Array (Object) | List of objects containing `email` and `internalPlaceholderIdentifier`. | |
| 27 | +| `intendedAuthority` | String | Authority level of the inviter (e.g., `"INVITER"`). | |
| 28 | +| `roleIdentifiers` | Array (Int) | List of Role IDs to be granted upon acceptance. | |
| 29 | + |
| 30 | +#### Example Payload: Pre-Provisioning Invitation |
| 31 | + |
| 32 | +```json |
| 33 | +{ |
| 34 | + "intendedAuthority": "INVITER", |
| 35 | + "message": "Welcome. Your account is ready for activation.", |
| 36 | + "language": "en", |
| 37 | + "guestRoleIncluded": true, |
| 38 | + "invitesWithInternalPlaceholderIdentifiers": [ |
| 39 | + { |
| 40 | + "email": "new_hire@institution.edu", |
| 41 | + "internalPlaceholderIdentifier": "STF-2024-9901" |
| 42 | + } |
| 43 | + ], |
| 44 | + "roleIdentifiers": [99], |
| 45 | + "roleExpiryDate": 1760788376, |
| 46 | + "expiryDate": 1730461976 |
| 47 | +} |
| 48 | + |
| 49 | +``` |
| 50 | + |
| 51 | +--- |
| 52 | + |
| 53 | +## 3. Provisioning & Lifecycle Logic |
| 54 | + |
| 55 | +### Phase 1: Initial Provisioning (SCIM POST) |
| 56 | + |
| 57 | +When the user accepts the invitation, the system sends a SCIM `POST /v1/Users` message to the institution's provisioning endpoint. The `internalPlaceholderIdentifier` is sent as the `id` in this message. |
| 58 | + |
| 59 | +### Phase 2: Identifier Transition |
| 60 | + |
| 61 | +The system will use the `id` returned by your SCIM server in the response to that initial POST for all future updates (e.g., role changes or group memberships). This allows the institution to replace the temporary placeholder with a permanent identifier (such as a UUID or eduID URN) for all subsequent SCIM messages. |
| 62 | + |
| 63 | +### Phase 3: Logging |
| 64 | + |
| 65 | +The system logs the specific moment when the `id` changes from the placeholder to the permanent identifier to maintain a clear audit trail. |
| 66 | + |
| 67 | +--- |
| 68 | + |
| 69 | +## 4. Privacy & Data Governance |
| 70 | + |
| 71 | +| Question | Detail | |
| 72 | +| --- | --- | |
| 73 | +| **Is it personally identifiable?** | Yes. Because the institution provides this identifier from its own systems (e.g., a student ID), it is **directly traceable** to a person within that institution. | |
| 74 | +| **Where is it stored?** | It is stored within the invitation metadata and temporarily in the SCIM provisioning layer until the permanent ID replacement occurs. | |
| 75 | +| **Who has access?** | Access is restricted to authorized administrators within the Invite API and the technical logs during the transition phase. | |
| 76 | +| **Is it shared globally?** | No. This is an **institution-specific** identifier. It is used to bridge internal systems and is not known to other applications or institutions within the wider eduID ecosystem. | |
| 77 | + |
| 78 | +--- |
| 79 | + |
| 80 | +## 5. Summary of Benefits |
| 81 | + |
| 82 | +1. **Combined Processes:** Allows the combination of legacy manual assignments with modern external identities like eduID. |
| 83 | +2. **Internal Abstraction:** When used with the Institution-Information API during authentication, internal systems can continue to use their own identifiers, keeping the external eduID identifier abstracted away from most applications. |
| 84 | +3. **Day-One Readiness:** Users gain access to necessary roles immediately upon their first login. |
0 commit comments