Third Party UCInetIDs

Summary: Information about Third Party UCInetIDs: How they are created, deleted and how they can be used.

What are Third Party UCInetIDs?

Third Party UCInetIDs are a special class of UCInetIDs given to users who are not already in the UCI Directory. They allow WebAuth enabled applications to still use WebAuth and easily provide access to other users who do not need full accounts.

Some examples of how they might be used are:

Information or Account Access: A student might want to give access to a Third Party to their bill in order to pay it. An application would let the student grant that access to a Third Party UCInetID after it was created.

Protocol Requirements: A professor at another university working here might need to pass some protocol requirements locally. A testing system that uses WebAuth can let them do that.

How are Third Party UCInetIDs created?

Third Party UCInetIDs are created by the users themselves through a web form that collects identity information about the user and verifies their email address through a two-step process.

This is the information collected about the user: First Name, Last Name, Date of Birth, Last 4 digits of SSN, Phone, Email, Explanation of Request (pull-down menu), password, password reset question/answer, verbal identification question/answer.

The verbal identification question/answer is a way for providers of telephone support to verify the identity of a user. As this is essentially being used as a password, access to this information must be strictly controlled. The question and answer will be available to specifically authorized users through a web application.

When an account has not been used for an extended period of time, an email will be sent to ask if the account is still needed.

What are their specifications?

  • Like every UCInetID, each Third Party UCInetID will have a CampusID.
  • The ID itself is the email address that is verified: (e.g. “third.party@gmail.com”)
    • Third Party UCInetIDs will be limited to 64 characters in length.
    • The only verified information about the account is the email address.
    • (eventually there will be a tool to change email addresses and keep the same CampusID
    • In the Kerberos database, the “@” is replaced but no one should interact with that directly.
  • Third Party UCInetIDs will be stored in a separate Kerberos KDC and realm (TPID.UCI.EDU).
  • Third Party UCInetIDs will only be available to WebAuth enabled web applications that have registered with OIT to be able to use them.
  • No email forwarding or mailbox services will be provided for Third Party UCInetIDs.

LDAP Specifications

  • If LDAP access is needed for Third Party UCInetID information, access must be requested from OIT.
  • uid, ucinetid, mail attributes are all set to Email address
  • Third Party UCInetID Information in LDAP may take 2 hours (during business hours) or more (outside of Business hours) to appear in LDAP. (Accounts are immediately useable, with full information provided, in WebAuth.)

How do Web Applications use Third Party UCInetIDs?

Only applications that have registered with OIT to use Third Party UCInetIDs will be able to obtain Third Party UCInetID information through WebAuth. An error message that says “This ucinetid_auth is valid. However you do not have access to see the user information.” will be returned from webauth_check if a user with a Third Party UCInetID tries to access your application.

In order to apply for access, a web developer should email OIT@UCI.EDU with the name of the application, the URL and the list of IP addresses of the servers.

When handling authorization, it’s best to grant it based on the CampusID rather than the UCInetID itself.

Once registered, all WebAuth interactions should happen as they normally would.

Given the different nature of the format of Third Party UCInetIDs (that they are email addresses), it is important for any application that allows access to Third Party UCInetIDs to customize their WebAuth login page to include information letting users know what their login is to reduce unnecessary calls to the Help Desk.