From an XSEDE perspective, all we care about is that users authenticated using acceptable credentials have an XSEDE identity that can be mapped locally. This design doesn't mention the possibility that an SP may also need to map non-XSEDE OAuth identities to local accounts. We should mention that possibility and that it's out of scope for XSEDE's OAuth mapping capability. Or, the design could suggest that SPs merge XSEDE's OAuth mappings with other mappings before making the mapping file operational.

Good point. I propose updating the design to include the ability for the cron job to merge local "stub" mapfile(s) with the one generated from XCDB to make it easy for SPs to maintain XSEDE+local mappings.

