Documentation | Account Linking



Traditionally organizations have focused on maintaining user access accounts that are distinct and tightly integrated with the organization’s operational procedures. As organizations try to improve the customer experience, the need to provide online access to larger numbers of audiences with looser affiliation strains this operational practice.

Cirrus Account Linking provides solutions to manage access for these loosely affiliated end users without the need to provision new access accounts. By addressing complex access lifecycle issues, the Account Linking solution can allow access to:

Cirrus Account Linking is based on a few principles:

  1. End users use non-enterprise accounts that are appropriate for the services being accessed (social login or other third party identity provider) instead of creating new enterprise user accounts
  2. Service providers differentiate between being able to authenticate and being authorized to access the service -- access is based on an organizational identifier the end user has been assigned
  3. The account an end user uses to accesses the organization’s services will change over time, for example from social login, to enterprise login, and then back to social login. To streamline access across the lifecycle, the organization can identify the end user based on one or more enterprise identifiers associated with the account


The Cirrus Account Linking service is integrated with the Cirrus Identity Provider Proxy and they work in tandem to enable access. This will lead to a deployment where the Proxy stands between the Service Providers and the Identity Providers. In general, any service provider and identity provider that supports SAML v2.0 or CAS can be accommodated by the Proxy. See the Proxy documentation for SP and IdP support details.

Account Linking also integrates with other Cirrus Services depending on the end user identity provider needs and desired implementation patterns. The solutions are:

  • Cirrus Discovery - Used to provide the discovery UI for the Proxy; Discovery is also InCommon/eduGAIN aware so it also enables linking federated identity providers
  • Cirrus Gateway - Used to enable linking of social login accounts (for example Google, Facebook, Microsoft, LinkedIn, or others)
  • Cirrus External Identity Provider - Used to provide a lightweight alternative identity provider of last resort to use for linking
  • Cirrus Invitation - Used to provide sponsorship control for the linked accounts
  • Cirrus APIs - Used to integrate organization data sources with Cirrus Account Linking

Cirrus Account Linking is implemented using one of three base implementation patterns:

  1. User Initiated Account Linking (Authentication Based) - The end user authenticates with an account the individual prefers (often a social login), and that account is linked to an organizational identifier using one of several methods:

    • By logging in with the organization’s primary enterprise identity provider
    • By using a knowledge based verification system which traditionally asks the end user a series of questions to establish the relationship to the organization
    • By pre-provisioning the account linking information using Cirrus APIs to establish the relationship to the organization
  2. Organization Initiated Account Linking - The organization typically makes an API call that triggers the Cirrus Invitation service to send an email to the user. Users click a unique URL in the email and land on a "claim" page where they see a list of login providers they can choose from (see Discovery Configuration for more information on choosing the list of providers). In the process, the account is linked to the organizational identifier using one of several methods:

    • When the organization creates the request, the organizational identifier is attached to the request which is linked to the account at the time of claim
    • When the end user claims the request and the organization is notified of the claim, the organization issues an organizational identifier to link to the account after the claim
    • The organization leverages the unique ID that Cirrus creates at the time of claim as the identifier
  3. Self-Registration -- This is a separate add-on that you can use with the Account Linking service and is discussed here