...
Each of the core mainframe systems has its own internal identifier which we store in affiliates_db for cross referencing. We have an internal primary key for each person as well as a table for mapping targeted IDs to our internal ID. Our targeted IDs are UUIDs and therefore not based on any other user attributes. UCNETIDs are also loaded into affiliates_db from a UCOP file dump. SSNs are used internally for matching but not exposed to the broader campus.
SSO
In order to receive a single sign-on account, employees and students must first self register using data from the payroll and student systems. For employees, this creates a mainframe (RACF) account and links it to their (hopefully) singular affiliates_db record. Students get a kerberos account instead of a mainframe account. Either account is separate from the Active Directory system.
...