...
He proves his identity using his passport by clicking at Undeclared Attestations > ID document > ReadID and following on-screen instructions (do we need a link to the ReadID app ib stores along with the QR?) Yes, for the case when Bob does not have the app on his phone we should. We should include a link. Following Following the instructions, he scans the presented QR code and downloads an application onto his mobile device (in the event he already has the application, from a previous session (say) he can skip the downloading step). He opens the application and is instructed to use it to scan his passportpassport (PassportProof) and receives confirmation that ‘vetting is in process’.
Bob also provides provides his ORCID ID (ORCIDProof) and confirms his name and email with a login to ORCID, which also confirms the possession of his ORCID credentials.
Later that day Alice, who is the the vetting portal credential manager (RARA), receives a notification that a new applicant request is pending. She opens the admin portal https://ra.incubator.geant.org/ with her staff1/staff1 credentials and searches for the applicant.
She makes contact with Bob using a video chat app and the picture from from Unapproved Claims > ReadID (NO PHOTO, for data protection, the photo from Bob's password is not retrieved from ReadID), verifies that the picture from his identity document does correspond with the living Bob (FaceMatch), checks if the document is valid, and confirms the claim by clicking on "approve". At that time she could also request Bob to provide TOTP password? Since access to stored climate documents is subject to very strict checks (to prevent rogue history revisionists) she checks Bob’s ORCID ID (ORCIDProof) using Unapproved Claims > ORCID by following the link to the ORCID page on Bob. She confirms that he has a convincing academic record in the field, in line with the MCAS Admittance Policy, by clicking on "approve" and attests that Bob’s data is correct within the admin portal and that he meets admittance criteria.
...
The IdP used by the MCAS portal can confirm Bob's identity and that he is entitled to access the MCAS by invoking the JSON API https://app.incubator.geant.org/rest.php?id=<USER ID>, e.g. https://app.incubator.geant.org/rest.php?id=1.