Documentation | Account Linking



Traditionally organizations have focused on maintaining user access accounts that are distinct and tightly integrated with the organization’s operational procedures. As organizations try to improve the customer experience, the need to provide online access to larger numbers of audiences with looser affiliation strains this operational practice.

Cirrus Account Linking provides solutions to manage access for these loosely affiliated end users without the need to provision new access accounts. By addressing complex access lifecycle issues, the Account Linking solution can allow access to:

Cirrus Account Linking is based on a few principles:

  1. End users use existing accounts that are appropriate for the services being accessed instead of creating new accounts
  2. Service providers differentiate between being able to authenticate and being authorized to access the service -- access is based on an organizational identifier the end user has been assigned
  3. The account an end user uses to accesses the organization’s services will change over time, but the organization can identify the end user based on one or more identifiers associated with the account


The Cirrus Account Linking service is built on top of the Cirrus Identity Provider Proxy and they work in tandem to enable access. This will lead to a deployment where the Proxy stands between the Service Providers and the Identity Providers. In general, any service provider and identity provider that supports SAML v2.0 or CAS can be accommodated by the Proxy. See the Proxy documentation for SP and IdP support details.

Account Linking also integrates with other Cirrus Services depending on the end user identity provider needs and desired implementation patterns. The solutions are:

  • Cirrus Discovery - Used to provide the discovery UI for the Proxy; Discovery is also InCommon/eduGAIN aware so it also enables linking federated identity providers
  • Cirrus Gateway - Used to enable linking of social login accounts (for example Google, Facebook, Microsoft, LinkedIn, or others)
  • Cirrus External Identity Provider - Used to provider a lightweight alternative identity provider of last resort to use for linking
  • Cirrus Invitation - Used to provide a sponsorship control for the linked accounts
  • Cirrus APIs - Used to integrate organization data sources with Cirrus Account Linking

Cirrus Account Linking is implemented using one of three base implementation patterns:

  1. Authentication Based Account Linking - The end user authenticates with an account the individual prefers, and that account is linked to an organizational identifier using one of several methods:

    1. By logging in to a secondary account -- traditionally the organization’s primary identity provider
    2. By using a knowledge based verification system which traditionally asks the end user a series of questions to establish the relationship to the organization
    3. By pre-provisioning the account linking information using Cirrus APIs to establish the relationship to the organization
  2. Request Based Account Linking - The organization sends an email based request that the end user claims by logging in with an account the individual prefers, in the process the account is linked to an organizational identifier using one of several methods:

    1. When the organization creates the request, the organizational identifier is attached to the request which is linked to the account at the time of claim
    2. When the end user claims the request and the organization is notified of the claim, the organization issues an organizational identifier to link to the account after the claim
    3. The organization leverages the unique ID that Cirrus creates at the time of claim as the identifier
  3. Self-Registration -- This is a separate add-on to Account Linking and is discussed here