Enrollment Source Modes
Enrollment Sources are Organizational Identity Source plugins attached to Enrollment Flows. How they are used depends on how they are configured when attached.
To manage Enrollment Sources, edit the desired Enrollment Flow and click Attach Org Identity Sources. (If no Organizational Identity Sources are defined, this button will not be available.) Existing configured Organizational Identity Sources will be available to attach to the Enrollment Flow, with the Mode as follows:
- Authenticate: For Sources that support interactive authentication (such as via an OAuth flow), the Petitioner will be asked to authenticate at the start of the enrollment in order to link the Source identity.
- Claim: The Petitioner enters an email address (attached to the Org Identity), which must be verified before Enrollment Sources are queried. An Enrollment Source must be matched before enrollment may proceed. Not currently supported (CO-1280).
- Identify: Like Authenticate, but after email confirmation, and is thus suitable for invitation style enrollments.
- Search: The Petitioner enters an email address (attached to the Org Identity), which must be verified before Enrollment Sources are queried. For any matching Enrollment Sources, an Org Identity will be created and linked to the CO Person record.
- Search, Required: As for Search, but if any Required Enrollment Source is not match, the enrollment will be automatically denied.
- Select: The Petitioner will be able to select any of the Organizational Identity Sources attached in Select mode, query it, and select any record that is not already linked to an Org Identity. This option is only honored for Enrollment Flows where Enrollment Authorization requires an Administrator (CO, COU, CO or COU). Note that in general any CO or COU admin can query any Org Identity Source, so this setting should not be used as a "secure" way to prevent (eg) COU admins from seeing select backends.
- None: The Source is not used. (Useful to temporarily disable a Source.)
Unauthenticated Petitioners may not query Organizational Identity Sources.
Enrollment Sources configured in Authenticate, Claim, or Select mode run as part of the Select Org Identity step. If both Authenticate and Claim Sources are configured, Authenticate Sources will be queried first. Select Sources are mutually exclusive with Authenticate or Claim Sources, the Enrollment Authorization (see above) will decide which Sources are queried if more than one type is attached.
Enrollment Sources configured in either Search mode will be queried as part of the Check Eligibility step.
Except for Select Sources, identities linked via Enrollment Sources will not be recorded as the Enrollee Org Identity in the Petition artifact, though the identities will correctly link to the operational record.
Name Verification
As of Registry v3.2.0, Enrollment Sources configured in Search or Search, Required modes can be configured to confirm that the family name received from the Enrollment Source matches the family name of the CO Person in the Petition, via the Verify Family Name setting. Name checks are case insensitive. Any CO Person family name matching any Enrollment Source family name is considered success.
Considerations When Sources Are Connected to Pipelines
If an Enrollment Source is connected to a Pipeline, Registry will attempt to determine the correct behavior with regard to linking CO Person records.
If the Enrollment Flow is configured in such a way that a CO Person is identified prior to the Enrollment Source being executed (for example if Identity Matching is set to Select), then the Pipeline will use that CO Person instead of creating a new one.
Otherwise, after the Pipeline runs (but before any additional attributes are collected), if the Pipeline created a CO Person that person will be attached to the Petition. In such a configuration, the Enrollment Flow should not collect any Organizational Identity or CO Person attributes, otherwise disconnected identities may be created. (In particular, do not request an Official CO Person Name, as the record will end up with two Primary Names.)
Refreshing After Initial Enrollment
It is possible to configure an Enrollment Flow to query Enrollment Sources after an initial enrollment has taken place. This is useful to (eg) check for subsequent eligibility from an external data source established after initial enrollment. To configure such an Enrollment Flow
- Set Identity Matching to Self for self-service or Select for administrator driven enrollment.
- Set Petitioner Enrollment Authorization appropriately, eg CO Person for self-service or CO or COU Admin for administrator driven enrollment.
- Attach the relevant Enrollment Sources.
- Do not add any Enrollment Attributes, unless you wish to collect additional attributes (such as a new email address) to the existing record(s).
- Merging attributes into an existing record currently requires Email Confirmation Mode to be set, and for Duplicate Enrollment Mode to be set to Merge.
Refreshing can also be performed via Registry Job Shell.
As of Registry v3.1.0, a simpler user-driven option to refresh attributes is available via Sync on Login.