Is D2L's username unique across different domains?

[alle...@myblueprint.ca]

As title, this is for SSO integration, we need to be able to uniquely identify the users.

I know that the usernames are not shared for the domains I'm testing with but is it possible for two domain to share the same user account such as

testuser1 can login to

testsite1.desire2learn.com

as well as

testsite2.desire2learn.com

? In this case, is the user the same or different?

[Desire2Learn Staff: Viktor]

The username property for a user is unique, as far as the LMS is concerned, only within the bounds of the org. If the client site is doing user auth with the LMS itself, the username cannot at all be guaranteed to be unique in any space outside the LMS. If the client site is doing user auth by having the LMS use some other Identity Provider for authentication (for example, a CAS or SHibboleth integration, or similar), then it is possible that a single username might have wider uniqueness (within the federation of services that defer user auth to this IDP, for example), but the LMS really has no way of knowing or assuring this. Therefore LMS 1 and LMS 2 have no real way of guaranteeing that username LindsaySmith is the same person identity, or not, as on the "other" LMS.

If both the LMSes defer to an off-board IDP to do user auth, then you might make the understood assumption, by convention, that LIndsaySmith's user identity in LMS 1 and LMS 2 both point to the same person, but that would only be a business rule established by convention.

[alle...@myblueprint.ca]

Thanks for the confirmation, so as far as SSO integration with potentially multiple LMS is concerned, the username of the user should be considered unique in each individual LMS. 

A followup question then, is about the sub domain created by the school board. In the testing environment our partner provided to us, it seems that the test environment has exactly the same LMSID as the parent domain. However, I'm unable to login with my testing domain account into the parent domain. Does this mean that it is the domain that should be used to uniquely identify the account, not the LMSID?

In addition, when signing up an application key in the keytool, there's an option of Universal Type. We're wondering how it can be utilized, since the host of where you use the ID/key set makes the difference as well?

[Desire2Learn Staff: Sarah-Beth]

An important thing to understand is that the LMSID is independent of the domain. So, while the LMSID is often modeled after the domain (LMSID = yourschool.desire2learn.com Domain = https://yourschool.desire2learn.com) there is no requirement for them to match (LMSID could = yourLMS.desire2learn.com Domain could = https://yourSCHOOL.desire2learn.com). Similarly, the LMSID could be identical between two different domains or instances. (LMSID = yourschool.desire2learn.com, Domain1 = https://testschool.desire2learn.com Domain2 = https://yourschool.desire2learn.com)

So to answer your question around LMSID vs Domain for identifying the source/scope of a user account, it is indeed not the LMSID. The domain is the pointer to the instance where that account is in scope.

To answer your question around Universal apps, you are correct in that the burden of specifying LMSIDs is removed, and that is because these App ID\Key pairs are distributed to all instances. However, due to their widely distributed nature, Universal apps are only available for Desire2Learn-developed solutions or for solutions developed by Desire2Learn Partners, depending on their partnership level. (See Partners Program for more detail: http://www.desire2learn.com/partners/network-details.) If you have an existing Partnership agreement with Desire2Learn, you can speak to your Partner Program contact for detail as well.