USER PERSPECTIVE ON CHANGES FOR OPENID Draft 1 December 1, 2015 This brief document explains our current thinking for how the integration of OpenID would work in the EBMS and, hopefully, other Drupal based systems. By "user" we mean both board member users who now use eDir authentication, and OCE staff who register or modify user accounts. Currently, NIH is offering Google as the only choice for OpenID logins. There may (or may not) be other offerings in the future. If there are others, there may be some expansion of what is written below. Hopefully, very few or no modifications will be required. As in the current system, a user who logs in with OpenID will only be able to login that way. Accounts can be converted from one login type to another, and possibly from one OpenID type to another in the future, but no user will be able to login in two different ways. Gathering OpenID Information for Existing Users ----------------------------------------------- The first step would be for OCE staff to gather Google account email addresses from board members. Each board member would be asked to provide an email address that Google recognizes as an account identifier. This might be a gmail address but could be any email address that a user has used when creating a Google account. This may or may not be an email address used by the member for any other purpose. Those users without Google accounts would each have to create one in order to have a login. The Google account email address will not become a permanent part of the EBMS. The programmers will provide a spreadsheet containing, for each active user, columns for the internal Drupal user ID number, the user name, and an empty column for Google account email addresses. Staff members would need to fill out the spreadsheet by asking board members to provide their Google account email addresses. They should not provide passwords, just the email address. When all email addresses (or as many as can be hoped for) are collected, we would install the OpenID logins. Installing the OpenID Logins ---------------------------- ODDC and CBIIT staff will run a script to install the new email addresses in the system, and install new software to use. The system would be down, probably for an hour or more, for the installation, and probably be closed to outside users until testing shows that everything is okay. New Login Behavior ------------------ Depending upon what cookies may be on the user's machine, when the system comes up, the login behavior would be changed as follows: A user enters the system URL, https://ebms.nci.nih.gov. Instead of the current login screen, a new screen is displayed, not from the EBMS, but from the NIH "iTrustGateway", as is now the case for SSO users. The user will see an Account Type selection with two choices: HHS Staff Social Login/OpenID Internal staff would most likely use HHS Staff. Board members would most likely use OpenID. For OpenID users, a new menu would appear. At the current time the only available selection is "Google". The user will enter his email address and password and authentication will take place at Google, NIH, and in the EBMS, leading the user to his EBMS landing page. The existing eDir based authentication will be gone. Adding New Users ---------------- The spreadsheet conversion would only be for a mass, one-time conversion of users from eDir to OpenID. From then on, new users would be created by an OCE staff member with the authority to "administer people" in the EBMS. The staff member would have three choices for creating a new user: + Add OpenID user + Add NIH SSO user + Add user This is the same as now except that "OpenID" replaces "eDir". Data entry for OpenID will be the same as for eDir except that the field currently labeled: "User eDir DN" ____________________________ will be replaced by: "OpenID account E-mail address". ____________________________ Converting Users from One Type to Another ----------------------------------------- The current method for editing users will be the same as before except that, instead of offering an option to convert a non-eDir user to eDir, there will be an option to convert a non-OpenID user to OpenID. Only the new OpenID account email address will need to be supplied.