Generally speaking, a unique ID system ensures that a person has only one unique ID for an organization even if the person is represented in multiple roles, such as an individual who is both a staff member and parent at a school.
Many organizations have an existing implementation of a unique ID system. The Ed-Fi ODS / API does not replace an organization’s unique ID system. Instead, it provides clear extension points for platform developers to integrate with their existing system, while also providing clients with a standardized API for integrating identity management into their applications.
The Ed-Fi ODS / API provides two points of integration with unique ID systems. The first integration point provides a means for the API to validate the unique ID values being supplied by clients, and the second is an optional set of endpoints for clients to create and retrieve unique IDs for person records including students, staff, and parents.
The Ed-Fi ODS / API ships without unique ID validation. In the as-shipped distribution, its identity management endpoints are configured to return a
501 - Not Implemented response. Integration development work is required to connect to an enterprise unique ID system. This documentation contains conceptual and how-to material about connecting to an existing unique ID system.
Unique ID System Integration Models
When planning an API implementation, platform hosts must select an approach that best serves their enterprise's needs: an integrated unique ID system model (shortened to "integrated model," below), or a non-integrated unique ID system model ("non-integrated," below).
Within the integrated model, there are two facets: unique ID validation and identity management. Minimally, support for validation is expected. Optionally, the platform host may also choose to support the identity management endpoints.
Model 1. Integrated Unique ID System Model
This model is suitable when an external system, often a commercial product, is the authoritative source for unique IDs and can be wired into the ODS / API. In this model, an external unique ID system always defines the unique ID for students, staff, and parent entities and clients are expected to pass valid unique IDs to the ODS / API.
Distinguishing characteristics of this model include:
- Unique IDs are established outside the context of the ODS / API by the external unique ID system.
- Client applications are expected to supply valid unique IDs to the ODS / API. To accomplish this they may either:
- Use the Ed-Fi
/identitiesendpoint to search identities and create new unique IDs as necessary.
- Follow a process defined outside the scope of the ODS / API to obtain appropriate unique ID values.
- Use the Ed-Fi
- When new person-entities are created in the ODS / API, the existence of the unique ID is validated against the external system automatically. Client applications do not define the unique ID values.
This model can support fully integrated unique ID management, but it does make some assumptions about the system flow. An outline of an expected system flow follows.
Client-Side ID Lookup in the Integrated Model
When the ODS / API platform supports an integrated model with identity management for establishing a unique ID, client applications will need some process for looking up that unique ID value. This section provides a system flow that most clients will follow to look up a unique ID through the Ed-Fi ODS / API.
The unique ID for a person can be obtained from the
/identities endpoints in the Ed-Fi ODS / API (documented online here). The workflow for clients to create and obtain IDs are described below. For the purposes of this example, the workflow will focus on the use case of creating a new student record, but the same general flow applies to staff and parent records.
It is assumed that once a unique ID is obtained by a client, it will be stored in client applications as a way to easily sync data between the client and platform from that point forward.
A description of each step follows.
- Step 1. Execute a GET
/identitieswith the first name, last name, sex, and date of birth.
- Step 2. Show the scored results to the user to let them select the correct identity.
- Step 3. Create a new identity using POST
/identitiesif the user indicates an appropriate match does not already exist.
- Step 4. Save the resulting unique ID value in the client application for use when sending the person's data to the Ed-Fi ODS / API.
Now that a unique ID has been obtained, it can be used by clients in bulk and transactional operations when referring to that student.
When a client application creates a student record, the client won't be able to retrieve or update that student until it has established a relationship with that student. That relationship is created by adding an entry to the studentSchoolAssociations resource under an LEA to which the client application has access. Similarly, when a client application creates a staff record, the client won't be able to retrieve or update that staff record until it adds an entry to the staffEducationOrganizationAssignmentAssociations or staffEducationOrganizationEmploymentAssociations resources under an LEA to which the client application has access.
Model 2. Non-Integrated Unique ID System Model
This model is suitable when platform hosts choose not to wire in or link to an external unique Id system. In this model, platform hosts provide guidance to clients on how to acquire or assign a unique ID out of band. A common approach is to instruct clients to acquire a unique ID from an enterprise system and subsequently pass that value to the ODS / API when creating new person entities.
Distinguishing characteristics of this model include:
- Client applications are responsible for populating the unique ID for person entities.
- The API performs no validation on the incoming unique IDs during person entity creation — unique ID values are treated as just another data element for the purposes of creation (though uniqueness is enforced by the API).
This model requires no system integration work from a platform host, but it relies on specific guidance being provided to client application developers.
Integration Model Comparison
The above models are fundamentally different for the platform host. But, from a client system perspective, the change is limited to whether or not the values that the client application supplies for the unique IDs are validated against an external system. In some scenarios, the client could conceivably be responsible for assigning the unique ID value, but exactly how that value should be derived should be agreed upon with the host.
Key Integration Steps for Unique ID Validation
Implement the Unique ID to Id Value Mapper
IUniqueIdToIdValueMapper interface enables the API to use the supplied unique ID value to resolve and assign the resource identifier (
Id) property of the person entity appropriately. Implicit in that interaction with the external system is a validation that the supplied unique ID already exists.
The personType argument in the two methods defined by the interface will contain one of the following values upon invocation: Student, Staff, or Parent. In some integrations, this distinction may not be relevant and the argument can be ignored.
Upon return, the
Usi property is not used and can be left as the default value (0).
Enabling the Unique Id Integration for Validation
The unique ID system integration feature is enabled using the
uniqueIdValidation:featureIsEnabled configuration setting in the Web.config file of the EdFi.Ods.WebApi project. While this registers and configures all the supporting components for performing unique ID validation, the custom implementation of the
IUniqueIdToIdValueMapper will still need to be registered with the container separately, as shown below:
Technical Details of How Unique ID Integration Works
UniqueIdIntegrationInstaller class makes the necessary modifications to adjust the API to operate in an integrated fashion with the external Unique ID system. Specifically, that installer performs the following tasks:
- Registers the
IUniqueIdToIdValueMapperso that IDs and Unique IDs can be retrieved from the external system.
- Registers the
IPersonUniqueIdToIdCachewith an implementation that caches the
Idmappings and calls the value mapper only when needed (for performance reasons).
- Registers a decorator for the
IPutPipelineStepsProviderwhich inserts a
PopulateIdFromUniqueIdOnPeoplestep in the processing of all PUT/POST requests just prior to persisting the entity model. This step only engages on person-type entities, but then it looks for an uninitialized
Idproperty on the entity and calls the aforementioned
IPersonUniqueIdCacheto obtain the corresponding
Idfor the supplied
UniqueIdvalue. It then marks this
Idas server-assigned to allow the API to create the resource if needed. (This is because v3.x of the Ed-Fi ODS/API no longer allows clients to assign IDs — they are now either assigned via UniqueId integration or they are initialized automatically during NHibernate persistence).
- Registers two entity validators (which are executed just prior to NHibernate persistence):
EnsureUniqueIdAlreadyExistsEntityValidator. This validator relies on the presence of the PopulateIdFromUniqueIdOnPeople step (which ensures the
Idproperty is properly initialized even if the entity hasn't been persisted yet). When UniqueId integration is configured, if the
Idhasn't been assigned by the time the entity is being validated (just prior to NHibernate peristence), then it is an indication that the UniqueId could not be resolved in the PopulateIdFromUniqueIdOnPeople step and a validation error is raised.
UniqueIdNotChangedEntityValidator. This validator also relies on the presence of the
PopulateIdFromUniqueIdOnPeoplestep (which ensures the
Idproperty has a relevant value before the entity is persisted the first time), and looks up the
UniqueIdvalue returned from the cache should match the value actually assigned on the incoming entity. If it doesn't match, it indicates that the client is effectively trying to change the
UniqueIdvalue (through a PUT request), and a validation error is raised.
Key Integration Steps for Identity Management
Integrating your unique ID system with the Ed-Fi ODS / API requires a custom implementation of the
IIdentityService interface. When properly registered, this code is called for each of the
/identities API calls received by the Ed-Fi ODS / API.
The EdFi.Ods.Api project contains the definitions for all artifacts (e.g., interfaces, requests, responses) related to identity management integration. The placeholder implementation of the
IIdentityService interface is located in the same project in the EdFi.Ods.Api.Services.Controllers.Identity namespace.
The identities are represented by the
IdentityResponse class, as follows:
|UniqueId||The human-readable unique identifier for the person. While the UniqueId is represented as a string in the interface, the Ed-Fi ODS Database limits the length of the UniqueId to 32 characters.|
|Score||A number indicating the level of confidence with the provided match. Higher numbers are more confident. Some systems use the number of standard deviations from normal (sigma) and others use a 0 to 100 scale. In other systems, the number is relative to the result set provided and has no relevance outside of one query. This is an implementation-specific detail that would be relayed to a human user of the system for resolution.|
|LastSurname||A space-delimited list of all the family names associated with a person. In some Hispanic and other traditions this may be both parents' surnames (e.g., Hermanez Gonzalez). In some Asian and other traditions, the surname may be provided first for each child.|
|FirstName||The person's given first name.|
|MiddleName||The person's given middle name, if available.|
|GenerationCodeSuffix||The suffix applied to the person's name (e.g. Jr., III, Esquire).|
|SexType||The natural sex of the person at the time of their birth.|
|BirthDate||The date on which the person was born.|
|BirthOrder||The birth order, if known, among the person's sibling group.|
|BirthLocation||The details on the location where the person was born (city, state / province and country).|
|Dynamic Members||An optional set of additional data defined by the external unique ID system, and made available through the Ed-Fi identities API. This could contain a list of third-party identifiers (e.g., local education organization identifiers, driver's license, teaching certificate number) that could be used to further distinguish a person. These additional identifiers should only be stored if they are used as a matching criteria by the native unique ID system.|
Enabling the Identity Management API Endpoints
The identity management feature is enabled using the "identity:featureIsEnabled" configuration setting in the Web.config file of the EdFi.Ods.WebApi project. While this registers and configures all the supporting components for the API endpoints, the custom implementation of the
IIdentityService will need to be registered with the container separately.
- No labels