FAQs: Identities

What is an identity?
How and why do I link and unlink identities?
How do I change my primary identity?
What types of Globus identities are there?
What does 'PROVIDER_SPECIFIC_ID_CONFLICT' mean and how do I fix it?

What is an identity?

An identity is a logical representation of a principal (user, service, system, etc.) that is managed by an identity provider, and can be used to grant access to resources to that principal.

More commonly, a user’s identity can be thought of as their 'account' with a given identity provider - such as their university or employer.

Globus users make use of their identities with various identity providers to access the various resources that are made available via the Globus service.

How and why do I link and unlink identities?

Many users have more than one identity that they wish to use with the Globus service. Rather than having to log out / log in each time they wish to make use of one of their identities, it can be helpful for users to simply link their identities together. A collection of identities so linked is called an identity set.

When a Globus user links their identities together into a single identity set then, when logged into the Globus service, they can access resources that are available to any of their linked identities. See note below.

Note

When attempting to access High Assurance resources, users may be prompted to login again using the credentials for the identity granted access to the resource so as to meet login session requirements.

A Globus user can see the identities in their identity set by navigating to the Settings page and then selecting the Account tab.

From the Account tab, a Globus user can remove identities from their identity set (unlink them) by clicking on the 'Manage Identities' button, and then clicking the trashcan icon for identities they wish to unlink.

It is important to remember that this action merely unlinks the identity in question from your identity set. The unlinked identity is not deleted.

Alternately, a Globus user can add new identities to their identity set (link them) by clicking on the 'Link Another Identity' button, and then following the flow to link the new identity.

How do I change my primary identity?

In order to change your primary identity, you must first unlink from it all linked identities.

Once that has been done, logout of the Globus service, and then log back in using the identity you wish to be your new primary identity.

Finally, link your various identities to your new primary identity.

What types of Globus identities are there?

There are 3 broad categories of identities supported by the Globus service: login, non-login, and email. When looking at your identity set in the Globus webapp Settings page in the Account tab, you can click on an identity to see what type it is. The different types of identities have different levels of functionality with regards to how they can be used with the Globus service.

These can login to the Globus service, and are thus eligible to be used with the full array of Globus products and services. Naturally, this means they can also be used to access mapped collections and guest collections. Only Login Identities can be primary identities in an identity set.

Example Login Identity

Non-login Identities

These cannot login to the Globus service, and thus offer a much more limited range of functionality compared to Login Identities. These can be used to access mapped collections and to access guest collections. Non-login Identities are commonly provided by an OIDC identity provider associated with a Globus Connect Server endpoint, and are linked to a user’s identity set so as to allow the user to access resources on that endpoint using the OIDC identity.

Example Non-login Identity

Email Identities

These cannot login to the Globus service, and are even more limited in function than Non-login Identities. Email Identities can only be used to access guest collections, not mapped collections. Email Identities provides guest collection owners a way to grant access to their collection to a collaborator so long as they know that person’s email address. When a user receives an email invitation to access a guest collection, they can then link to their identity set an Email Identity corresponding to the email address that received the invitation. Once that’s done, the Globus user is then able to access the guest collection using the permissions assigned to the linked Email Identity.

Note

It is important to note that an Email Identity cannot be used to access High Assurance collections, as an Email Identity cannot meet the login session requirements due to being unable to login to the Globus service.

Example Email Identity

What does 'PROVIDER_SPECIFIC_ID_CONFLICT' mean and how do I fix it?

An identity provider will offer up an identifier (depending on the context this can be called a sub claim, ePTID, subject ID, etc.) for identities it controls for use by other systems to be able to properly recognize and use that identity. The associated claim is meant to be a persistent, non-reassigned, opaque, unique identifier for a user. It is used to protect against username/identity reuse. If the identifier supplied by the identity provider for the identity doesn’t match the identifier that the Globus service expects, then attempts to login with that identity can produce a PROVIDER_SPECIFIC_ID_CONFLICT error. Such an error may look like this:

"Unable to authenticate with bob@abc.edu. Your identity provider identifies you as 'XXX' but Globus was expecting to see 'YYY'. Please contact support@globus.org or your identity provider for help resolving this error."
Occurred at time:
2025-06-15T18:12:22.961826+00:00
Error ID:
5acc0be633744bbebcb4bb24d9ae6b0c
Error code:
PROVIDER_SPECIFIC_ID_CONFLICT

In this case, the identity provider was offering an identifier of XXX for the identity, but the Globus service was expecting the identifier to be YYY instead. So long as the identifier for that identity being offered by the identity provider and the identifier for that identity expected by the Globus service differ, it will not be possible to login to the Globus service using that identity.

If you encounter a PROVIDER_SPECIFIC_ID_CONFLICT error when attempting a login flow with the Globus service, you’ll first want to check if the identifier being provided by the identity provider is 'None'. In such a case, you’ll want to make sure that you’re not trying to login to your identity provider with an email identity, rather than a login identity. This can sometimes happen as part of an email identity linking flow that can be initiated via an invitation to a guest collection that is sent to a user’s email address, rather than their login identity with their identity provider. If you find that this is the case, then you’ll want to reach out to the party that sent you the invitation and ask them to send a new invitation to your login identity with your identity provider, rather than to your email address.

Otherwise, you’ll want to reach out to your organization’s IT staff for further help with addressing this issue, as the assistance of your identity provider admin will be required to ensure that the identifier being offered by your identity provider and the identifier expected by the Globus service match. When reaching out to your identity provider admin, you’ll want to include a copy of the PROVIDER_SPECIFIC_ID_CONFLICT error you received, along with a link to this FAQ, so that your admin will have the needed context to begin to address the issue. In such a case, if you - or your identity provider admin - should require additional support from Globus to achieve a resolution, you’ll want to reach out to Globus Support so we can assist you further.