Topics Map > University of Chicago > IT Services > Accounts, Identity, & Security

Directory Access - Temporary Accounts (T-9s)

This article explains how individuals with temporary accounts may avoid an error to use the online Directory to search.

Temporary accounts (also known as "t-9" accounts) are part of the Trusted Agent Program (TAG), a program which provisions limited services through various University organizations. Because individuals with Temporary accounts are doing the work of the University in some capacity, but are not directly employed by the University, Temporary accounts receive a subset of services through TAG necessary to enable them to perform their various job-related duties and functions. One of the services that Temporary account users do not have is logged in Directory access, although Temporary account users can access the online Directory by remaining logged out; attempting to access the Directory under certain conditions will result in an error and inability to use the online Directory.

What is the error?

Individuals with Temporary accounts cannot access the Directory to perform a general (non-logged in) search in a single browser session, even when they leave the Directory site.

How do I avoid this error?

Individuals with Temporary accounts do not have the ability to authenticate (log in) to the online Directory to search, but individuals with Temporary accounts do have the ability to perform a general search using the online Directory only under the following conditions:

  • That they do not log in to the Directory, and
  • That they have not tried to log in to the Directory recently, i.e., within a single browser session.

To avoid this error: the first and easiest solution is to use the Directory without signing in; that is, do not select the Sign In button if you are logged in to other University applications. As long as you have not already tried to log in to the Directory within a single browser session, you will be able to use the Directory to perform a general search or non-logged in search.

If you have tried to sign in to the Directory already: You must either a) exit your browser session completely, so that your browser closes, or alternatively b) clear your browsing history/data.

Why does this error occur?

This error occurs because of the way in which certain applications (like myUChicago), using what's known as Single Sign-On or Shibboleth technology, recognize the account privileges (that is, what sites the University says you are allowed to access in your job role) of individuals with Temporary accounts. Through Single Sign-On (SSO) or Shibboleth technology, users can securely access multiple University applications by using their log in credentials (account ID and password) only once. When an individual uses Single Sign-On or Shibboleth-enabled applications (ESS, myUChicago, the online Directory, etc.), that individual can automatically access the other "Single Sign-On" or Shibboleth-enabled University services the University says she can use without needing to enter her account ID and password again--hence the term "Single Sign-On." Note that access to some Shibboleth-enabled applications does not mean you can access all Shibboleth-enabled applications. The online Directory is one of the applications Temporary accounts are not allowed to fully access. In other words, Temporary account users cannot access the online Directory by logging in, although Temporary account users can access the online Directory by remaining logged out, which will allow them to generally search the Directory.

For these reasons, when an individual with a Temporary account attempts to log in to the Directory by selecting the grey Sign In button, if she is already signed into other Shibboleth-enabled University applications which required her credentials (account ID and password) once, then selecting Sign In will result in an “Error.” This is because the application (the Directory) will be attempting to log in an account type (Temporary) through Single Sign-On or Shibboleth that the University says does not have logged-in Directory access as a service.

These are workaround solutions to avoid any applications from “remembering” through Single Sign-On that you are signed in with your Temporary account elsewhere, so that when you go to the Directory to search, you are able to perform a general search and will not receive an “Error” message.

For more information on what services are available to Temporary accounts, please see the Trusted Agent (TAG) Program Handbook page or contact your Trusted Agent.




Keywords:"directory search" "shibboleth error" "can't sign in to directory" t-9 t9 tag   Doc ID:37177
Owner:Astrid F.Group:University of Chicago
Created:2014-01-29 13:31 CSTUpdated:2015-04-30 06:28 CST
Sites:University of Chicago, University of Chicago - Sandbox
Feedback:  0   0