What happens when an AAF User moves from one institution to another, e.g. from the University of Sydney to the University of Canberra. In particular, how does a Service Provider determine that the user is the same user in their application, i.e. has the same profile and access permissions, when they log in with a new AAF Identity Provider?

Most services will see an event of a user that moves from one institution to another as a new user logging in. Their identifying attributes will change including their email address, eduPersonPrincipalName, eduPersonTargetedID and auEduPersonSharedToken values. The one attribute that most likely will not change is their eduPersonORCID.

For End Users

The eduPersonORCID is an attribute created and owned by the user and it's in their own best interest to ensure they provide their ORCID to their institution whenever they move institutions. 

For IdP Admins

At the moment not all institutions are providing their user's ORCID's as an attribute and not all users have an ORCID. We are working with our subscribers to ensure they provide a user's ORCID if the user has one. We are also working with our subscribers to help them encourage all researchers to get an ORCID.

Given not all users will have an ORCID, but the ORCID is the only reliable attribute not to change value when a user changes institutions you should be collecting their ORCID's and one of the other institutional identity attributes. If a new user logs in with an ORCID that you already have then it is the same person and you can map the two identities together.