Skip to main content
Skip table of contents

How do I work with VerifID

The UK federation and Jisc are running a service called VerifID which allows staff and students from qualifying institutions to get discounts at various retailers. See: https://www.ukfederation.org.uk/content/Services/2020-01-07-VerifID

This page covers how to make sure you're set up to help your users get these discounts.

Prerequisites

  1. You need to be in the UK Access Management federation. Check this under Management > Connections and look in the federations section

What you need to check (or change)

Step 1

The first thing to check is your attribute release policy: Preferences > Attribute release.

Look first at the default policy at the top of the page. What you want to see there are green 'pills' with a tick that include role and Targeted ID. If you see those, go to step 2

If you don't see them, click on the add policy button and start typing VerifID - select it when you see it.

From the list of attributes you see, find and click on Role and Targeted DI to turn them green and show a tick.

Click on done on the policy, and then save at the top of the page.

List of released attributes under the 'Default release policy'. Four attributes are shown - 'Pairwise ID', 'Targeted ID', 'Role' and 'Entitlement'. 'Targeted ID' and 'Role' are highlighted.

or

The button 'Add a resource policy' has been clicked, showing a search field and a list of policies that match the search term 'verifid'.

 + 

List of released and unreleased attributes under a policy called 'VerifID'. The attributes 'Targeted ID' and 'Role' are selected for release. All other attributes are currently not selected. Following the list are buttons labeled 'Done', 'Cancel' and 'Advanced'.

Step 2

Next thing is to look at your permission sets. Are they assigned in a way that can tell the difference between staff and student? The reason for this is that the role you released in step 1 is defined by permission sets:

Yes, I already split my permission sets by staff and student

That's good news - you already have everything you need, and may already be set up for this.

  • List your permission sets (Resources > Permission sets)

  • For as many permission sets as it takes to cover all staff (might only need one), select it in the list to open up the details and switch to the attributes tab.

    • Look at the role - there's a drop down of choices, and if it doesn't already say staff, change it to staff.

    • Attributes tab of a permission set called 'Staff'. It shows fields called 'Role' (which is currently set to 'staff') and 'Entitlement' (besides which is a button to add a resource). At the top of the page is a button marked 'Save changes'.

    • Save changes and repeat as necessary

  • Do the same for students  

  • Make yourself a nice cup of tea - you're done


I don't currently have different permission sets for staff and students

What you need to do here depends on if you are using OpenAthens accounts, or have connected a local directory. A way to tell is to go to reports.openathens.net  and look at the Accounts > Totals report. If mostly listed as 'Personal' then you're using OpenAthens accounts. If they're mostly listed as a name your IT team might have come up with, then you're using local accounts.

In both cases you'll need to add two permission sets (Resources > Permission sets > Add), one for staff, one for students, and on the attributes tab of both select the appropriate role.

Controls for creating a new permission set. There are two mandatory text fields - 'Description' and 'Name'. In the 'Name' field, the account prefix is already filled in. There is also a field labeled 'Role', which is currently set to 'student'. At the bottom are 'Create' and 'Cancel' buttons.

I’m using OpenAthens accounts

I can tell staff and student apart by group, or other factor such as email

If your staff are in a group...

  1. Accounts > List

  2. From the group button, select the group that represents staff (if you have multiple groups, you may have to repeat this)

  3. Use the select all option (to the far left of the group button)

  4. From the actions button that has appeared, select the allocate permission sets option

  5. Tick your staff permission set and then allocate

'Group' selector, open to show the options of filtering by a named group, filtering by 'Accounts not in a group', or searching for a group.
Account multi-selector, open to show the options 'None', 'All those shown' and 'All'.
List of accounts, in which several accounts are ticked. The 'Actions' menu is open to show available actions. The action 'Allocate permission sets' is highlighted.
List of permission sets. One is called 'Default permission set' and has a 'default' label. Others are called 'Chemistry', 'Physics', 'Staff' and 'Stellar cartography' (the last is marked 'expired'). Beside each permission set are the numbers of users and resources to which it is assigned. There is also a button labeled 'Create'.

Then repeat for students (do staff first because they are usually the smaller group and it probably leaves 'everything else' to be assigned to student)

If your staff have different distinguishing features, use search. This example assumes staff have a slightly different email domain:

  1. Click on 'Advanced' next to the search box at the top of the page

  2. Set the options as

    1. Live accounts

    2. Include all  types of accounts

    3. me and all my sub-organisations

    4. Only show results where...

  3. It's at this point you pick your distinguishing attribute or attributes. Let's assume for this example that student emails are all something@institution.ac.uk and staff are all something@staff.inst.ac.uk. For this you would choose where Email address matches staff.inst.ac.uk

  4. From the result list, select all and then use the actions button to assign your staff permission set as above

Advanced account search. There are options to search 'all accounts', 'live accounts', 'currently expired accounts' or 'accounts expiring between (specified dates)'. There is an option to include 'activated accounts', 'non-activated accounts' and 'banned accounts' in the search. There are also options to search for accounts based on their owner (either 'just me' or 'me and all my sub-organizations') and to return results where attributes match specified criteria.

Then do similar for the students (e.g. search for institution.ac.uk, or -staff.inst.ac.uk). 

I can't tell staff and student apart by any existing means

You will need to identify one of the two groups manually and add them to a group (a group is suggested because they can only be in one group, and there's a 'not in a group' option to identify the others). Identifying staff accounts is likely to be the easier option.

For each staff account, either open up the details, go to the account tab and use the group button at the top of the page... or select them in the list and use the actions menu. Once you've identified all staff this way you can use the group method above.

Account details for an inidividual user. The 'Group' drop-down list is sent to 'Staff'.

I’m using a local directory

I can tell staff and student apart by some factor

Use this information to assign the staff or student permission sets as covered in Permission set rules.

I can't tell staff and student apart at the moment

You'll need to speak to your IT people to find out which user attribute or claim can do this, then have them identify it to you and ensure it is available to you. Then you can proceed as above.

What to do if I'm stuck...

If a nice cup of tea hasn't helped, our service desk will be able to. 

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close