Enrollment Sources are Organizational Identity Source plugins attached to Enrollment Flows. How they are used depends on how they are configured when attached.
To manage Enrollment Sources, edit the desired Enrollment Flow and click Attach Org Identity Sources. Existing configured Organizational Identity Sources will be available to attach to the Enrollment Flow, with the Mode as follows:
- Authenticate: For Sources that support interactive authentication (such as via an OAuth flow), the Petitioner will be asked to authenticate in order to link the Source identity.
- Claim: The Petitioner enters an email address, which must be verified before Enrollment Sources are queried. Not currently supported (CO-1280).
- Search:
- Search, Required:
- Select: The Petitioner will be able to select any of the Organizational Identity Sources attached in Select mode, query it, and select any record that is not already linked to an Org Identity. This option is only honored for Enrollment Flows where Enrollment Authorization requires an Administrator (CO, COU, CO or COU). Note that in general any CO or COU admin can query any Org Identity Source, so this setting should not be used as a "secure" way to prevent (eg) COU admins from seeing select backends.
- None: The Source is not used. (Useful to temporarily disable a Source.)
Unauthenticated Petitioners may not query Organizational Identity Sources.
Enrollment Sources configured in Authenticate, Claim, or Select mode run as part of the Select Org Identity step. If both Authenticate and Claim Sources are configured, Authenticate Sources will be queried first. Select Sources are mutually exclusive with Authenticate or Claim Sources, the Enrollment Authorization (see above) will decide which Sources are queried if more than one type is attached.
Enrollment Sources configured in either Search mode will be queried as part of the Check Eligibility step.
Except for Select Sources, identities linked via Enrollment Sources will not be recorded as the Enrollee Org Identity in the Petition artifact, though the identities will correctly link to the operational record.