Invitation | Email Address Handling

Objective

This solution describes how the email address is handled during the registration process of both the Cirrus Invitation Service and Cirrus Account Linking.

Background

Most configurations of both the Invitation and Account Linking products have a process flow as follows:

  1. The user is sent an email with a registration URL based on a request from the Invitation or Account Linking product

  2. The user clicks the registration URL or selects the URL and pastes it into a browser, and is taken to a Cirrus Identity page to accept the registration by logging in with a social identity provider

  3. The social provider releases attributes about the user to Cirrus Identity as part of the authentication assertion

  4. If needed, the user provides additional attributes that are not available from the social provider (see examples below)

  5. Cirrus Identity completes the registration by connecting the email address to the original Invitation or Account Linking request

During this process, the address that is used to send the email with the registration URL and the address that gets connected to the completed request should be treated as mutually exclusive. The reasons for this vary depending on the following scenarios:

  1. A user receives the email with the registration URL at a GMail address and registers it with Google as a social provider 

  2. A user receives the email with the registration URL at one address and registers it with a social provider associated with a different email address (for example the user receives the registration URL at their GMail address and logs in with Yahoo)

  3. A user receives the email with the registration URL at one address and registers it with a social provider that has email address as an optional attribute (for example Facebook) 

  4. A user receives the email with the registration URL at one address and registers it with a social provider that does not release email as an attribute (for example Weibo)

Scenario #1

  1. "Ted Thunder" receives an email with a registration URL at "ted.thunder@athena-institute.net" which is hosted by Google.

  2. Ted clicks the registration URL and is taken to the Cirrus Identity registration user interface (which looks very similar to the Cirrus Discovery Service).

  3. Ted picks "Google Login" and is taken through the standard Google authentication flow.

  4. The registration process proceeds directly to completion and the resulting email address is "ted.thunder@athena-institute.net".

Scenario #2

  1. "Ted Thunder" receives an email with a registration URL at "ted.thunder@athena-institute.net" which is hosted by Google.

  2. Ted clicks the registration URL and is taken to the Cirrus Identity registration user interface (which looks very similar to the Cirrus Discovery Service).

  3. Ted picks "Yahoo Login" and is taken through the Yahoo authentication flow.

  4. Ted will then be taken to the Cirrus Identity registration interface. Because Yahoo does not release name, the user must provide them. The email address (“ted@yahoo.com”) is editable, but if changed a verification process is triggered.

  5. When Ted completes the registration, the resulting email address is "ted@yahoo.com".

Scenario #3

  1. "Ted Thunder" receives an email with a registration URL at "ted.thunder@athena-institute.net" which is hosted by Google.

  2. Ted clicks the registration URL and is taken to the Cirrus Identity registration user interface (which looks very similar to the Cirrus Discovery Service).

  3. Ted picks "Facebook Login" and is taken through the Facebook authentication flow.

  4. Facebook will ask for release of attributes. If there is an email address available (for example “ted@gmail.com”), the registration process proceeds directly to completion and resulting email address is “ted@gmail.com”.

Scenario #4

  1. "Ted Thunder" receives an email with a registration URL at "ted.thunder@athena-institute.net" which is hosted by Google.

  2. Ted clicks the registration URL and is taken to the Cirrus Identity registration user interface (which looks very similar to the Cirrus Discovery Service).

  3. Ted picks "Weibo Login" and is taken through the Weibo authentication flow.

  4. Ted will then be taken to the Cirrus Identity registration interface. Because Weibo does not release email the user must provide one. The email address will default to the invited one (“ted.thunder@athena-institute.net”) but is editable. If it is changed, a verification process is triggered.

  5. When Ted completes the registration, the resulting email address is “ted.thunder@athena-institute.net” (assuming he did not change it and go through the validation process).