Documentation | Invitation



Many organizations with to limit the use of external or guest access only to users who have been explicitly "sponsored" by enterprise account holders. Sponsored accounts can address accountability and other compliance concerns. Most times, this functionality ends up being a customization to existing administrative or identity management solutions that must be maintained by the organization over time.

Cirrus Invitation provides a solution to manage sponsorship of external access without the need to maintain the underlying systems. Invitation provides a lightweight workflow that allows sponsors to "invite" specific end users (designated as guests) and on board them to an external login method using an email invitation. The external login methods supported are:

  • Social Login Providers such as Google, Facebook, Microsoft, LinkedIn, and others supported by the Cirrus Gateway
  • A customer affiliated guest account provided by the Cirrus External Identity Provider
  • The Cirrus Identity hosted EduAccessID service
  • An account from a federated identity provider:
    • From an identity provider published in a public trust federation such as InCommon or one of the eduGAIN federations
    • From an identity provider published in a non-eduGAIN federation (metadata would have to be exchanged directly with Cirrus Identity Support)
    • From an unpublished identity provider where the metadata is directly exchanged with Cirrus Identity Support

Cirrus Invitation is based on a few principles:

  1. Sponsors are affiliated with the organization
  2. End users use external accounts that are appropriate for the services being accessed -- in most cases the accounts already exist but depending on the allowed login methods, a new account may need to be created
  3. For most deployment patterns, sponsors can be authenticated with the organization’s enterprise identity provider (the exception would be if invitations are being generated using Cirrus APIs)
  4. Sponsorship is a form of course grained access control (authorization) -- the lack of a sponsor prevents access to one or more service providers

Invitation also integrates with other Cirrus Services depending on customer needs and desired implementation patterns. The solutions are:

  • Cirrus Discovery - Used to provide the claim discovery UI for the end user when claiming the invitation; Discovery is also generally used for service providers protected by Cirrus Invitation
  • Cirrus Gateway - Used to enable use of social login accounts (for example Google, Facebook, Microsoft, LinkedIn, or others)
  • Cirrus External Identity Provider - Used to provide a lightweight alternative identity provider of last resort to use for claiming the invitation
  • Cirrus Account Linking and Cirrus Identity Provider Proxy - Used to connect the sponsored end user to organizational identifiers for broader provisioning and access control support
  • Cirrus APIs - Used to trigger the generation of the sponsored invitation from a system external to Cirrus Invitation