This document describes the Registry Enrollment mechanism introduced as part of COmanage Registry v0.9.4. For Registry Enrollment in older versions, see Registry Enrollment (Rev 1, Registry 0.9.3 and earlier).
By default, COmanage Registry uses an invitation based workflow.
COmanage Registry can also use customized Enrollment Flows to onboard new people into each organization. Enrollment Flows consists of a series of pre-defined steps, the execution of which is managed by Registry in accordance with the configuration of each specific Flow.
See also: Registry Enrollment Flow Diagram
A step may be considered Required, Optional, or Not Permitted, in accordance with the configuration. A Required step will execute both the core Registry functionality, as well as any Plugins. An Optional step will only execute Plugins, the core functionality will be skipped. Not Permitted means neither core nor Plugin functionality will be executed.
The order steps execute in may vary according to flow configuration.
Some "internal" steps are not documented here.
|Step||Description||Core Step Executes If||Plugins Run If Core Doesn't? (Optional)||Petition Status Following Step||Since|
|start||Initial step of an enrollment flow. The Petition artifact is created following successful completion (including any Plugins) of this step.||Introduction Text is defined||Yes||Created||v0.9.4|
|selectEnrollee||Select an existing identity (CO Person or Org Identity) for this enrollment.||Identity Matching is set to Self or Select||No||Created||v0.9.4|
|selectOrgIdentity||Select an Org Identity via an Org Identity Source for this enrollment.||One or more Enrollment Sources is attached in Search mode, and the petitioner is an admin||No||Created||v2.0.0|
|petitionerAttributes||Collect attributes from the Petitioner.||Any Enrollment Attributes are defined||Yes||Created*||v0.9.4|
|duplicateCheck||Call out to an external Identity Match server||Match Policy is External||Yes||Created||v4.1.0|
|tandcPetitioner||Require agreement to Registry Terms and Conditions.||Terms and Conditions Mode is set to Explicit Consent or Implied Consent, and at least one T&C is Active, and Petitioner Enrollment Authorization is None or Authenticated User.||Yes (if Mode is Explicit Consent or Implied Consent)||Created||v4.1.0|
|sendConfirmation||Send an email to confirm deliverability of Enrollee email address.||Require Confirmation of Email is set||No|
|processConfirmation||Process the response to the email sent in the sendConfirmation step.||Require Confirmation of Email is set||No||Confirmed or Declined||v0.9.4|
The identifier used by the enrollee to authenticate (eg:
Automatic linking for existing identifiers is handled in this step.
|Require Confirmation of Email and Require Authentication are set||No||Confirmed||v0.9.4|
|checkEligibility||Determine if the Enrollee is allowed to enroll, by querying an Organizational Identity Source for eligibility.||One or more Enrollment Sources is attached is attached in Search or Search, Required mode, and the petitioner is not an admin||No||Confirmed or Denied||v2.0.0|
|tandcAgreement||Require agreement to Registry Terms and Conditions.||Terms and Conditions Mode is set to Explicit Consent or Implied Consent, and at least one T&C is Active, and (as of Registry v4.1.0) Petitioner Enrollment Authorization is not None or Authenticated User.||Yes (if Mode is Explicit Consent or Implied Consent)||Confirmed||v4.0.0|
|establishAuthenticators||Allow the Enrollee to set up Authenticators.||Establish Authenticators is set||No||Confirmed||v3.3.0|
|requestVetting||Request Vetting for the Enrollee.||Request Vetting is set||No||Pending Vetting||v4.1.0|
|sendApproverNotification||Notify the approvers configured for the Enrollment Flow that the Petition is read for review and approval.||Require Approval For Enrollment is set||No||Pending Approval||v0.9.4|
|approve||Process Petition approval.||Require Approval For Enrollment is set||No||Approved||v0.9.4|
|deny||Process Petition denial.||Require Approval For Enrollment is set||No||Denied||v0.9.4|
|sendApprovalNotification||Notify the enrollee that their Petition has been approved.||Require Approval For Enrollment is set||No||Approved||v0.9.4|
|finalize||If the Petition is not denied, assign identifiers and set person status to Active.||No||Finalized or Denied||v0.9.4|
|provision||If the Petition is finalized, provision services.||No||Finalized||v1.0.1|
* New Person/Role status set to Pending
Enrollment Flows support Plugins as a way of customizing beyond what is supported out of the box. See Writing Registry Plugins for more details.
Plugins are executed after the core step has completed, or if the step is considered Optional. When a Plugin is executed, handoff is via a URL. More details about this are in the Plugin Documentation. Because Plugins must be run one at a time, a specific ordering is defined in order to ensure predictability. For Registry v3.3.x and earlier, Plugins are executed alphabetically. For Registry v4.0.0 and later, Plugins are executed in the order defined in the Enrollment Flow Wedge configuration for the relevant Enrollment Flow. Once all Plugins have been run, the next step will be initiated.
Plugins are only executed for the steps documented here. "Internal" steps are not accessible to Plugins.
Firefox has a "feature" that limits the number of redirects that may be issued, to 20 by default. This is to work around potential looping situations, but unlike other browsers that perform actual loop detection, Firefox simply maintains a counter and stops when the limit is reached. Since enrollment flows are redirect based, this cause a problem when large numbers of steps execute without user intervention. The problem is made linearly worse when Enroller plugins are configured.
As a workaround (CO-1224), Registry will introduce a "splash page" with a meta refresh tag at the beginning of each step in order to reset the count. While this solves the problem in most instances, if you install a sufficient number of Enroller plugins (around 20 or so), you may see issues with Firefox interrupting the flow.