MyAcademicID integration

Levels of estimated error severity

Critical	This severity level implies that the process has completely shut down and no further action is possible.
MAJOR	This is a significant flaw that causes the system to fail. However, certain parts of the system remain functional.
MEDIUM	This flaw results in unfavorable behavior but the system remains functioning.
LOW	This type of flaw won’t cause any major breakdown in the system.

List of identified issues in this category (click on the title to show details)

Description	MyAcademicID requires several attributes to be released. If your identity provider doesn't release them, you won't be able to log in. You can perform a test on https://myacademicid.devtest.eduteams.org/sp/ to see which attributes are missing. You can also use a browser extension, like SAML-tracer, to debug and see what exactly your identity provider is sending to MyAcademicID.
Estimated severity	Critical
Examples
Suggested action	Your identity provider should release all required attributes.
How communicated	Shared in email correspondence with providers.

Description	This issue might be relevant to you if you use CAS (https://github.com/apereo/cas). Version 6.6.8 introduced a bug where the Address in the SubjectConfirmationData started to contain hostname instead of IP address, which violates SAML2 specification and breaks the integration with MyAcademicID. Up to version 6.6.7, this attribute wasn't sent at all, which was OK because it is optional.
Estimated severity	Critical
Examples	<saml2:SubjectConfirmationData Address="proxy.prod.erasmus.eduteams.org" InResponseTo="id-YvP0PC2XE8gCoC3uH" NotOnOrAfter="2023-09-19T14:34:16.985Z" Recipient="https://proxy.prod.erasmus.eduteams.org/saml2sp/acs/post" />
Suggested action	If you use CAS and the issue is still not fixed, downgrade to version 6.6.7. There is also going to be a configuration option named skipGeneratingSubjectConfirmationAddress (https://apereo.github.io/cas/6.6.x/services/SAML2-Service-Management.html), which could be used as a workaround, but at the time of writing it is still not officialy released.
How communicated	Shared in email correspondence with providers

Description	When creating the account, the email automatically forwarded from MyAcademicID to the Registration Portal is the old inactive one, not the current email.
Estimated severity	Critical
Examples
Suggested action	A user likely had this email address when first logging in via MyAcademicID. It doesn't update automatically afterward, regardless of what CAS sends. However, it can be changed manually. MyAcademicID support provided these instructions for changing the email address. You can change your email on MyAcademicID from your profile page by following these steps: Go to: https://profile.myacademicid.org/profile. After logging in, you should see a navigation menu on the left with your profile selected. On the right, you should see your account information: your name and email. Click "Change" next to your email. In the popup, enter the new email you want to use and request the change. Check your mailbox for a verification email with a link. Click the link to confirm the change. The email change is now confirmed.
How communicated	Shared in email correspondence with providers.